Skip to content

Pin GitHub Actions to commit SHAs at latest versions#1143

Merged
milesarmstrong merged 1 commit intomainfrom
miles/pin-actions
Apr 8, 2026
Merged

Pin GitHub Actions to commit SHAs at latest versions#1143
milesarmstrong merged 1 commit intomainfrom
miles/pin-actions

Conversation

@milesarmstrong
Copy link
Copy Markdown
Contributor

@milesarmstrong milesarmstrong commented Apr 8, 2026

Summary

  • Pin all GitHub Actions to specific commit SHAs for supply chain security
  • Update all actions to their latest released versions
Action Previous Updated SHA
hmarr/auto-approve-action v2 v4.0.0 f0939ea9
actions/checkout v4 v6.0.2 de0fac2e
actions/setup-node v4 v6.3.0 53b83947
actions/cache v4 v5.0.4 66822842
peter-evans/create-pull-request v5.0.3 v8.1.0 c0f553fe
peter-evans/enable-pull-request-automerge v3 v3.0.0 a660677d

Changelog review

actions/checkout (v4 → v6) ✅ No impact

  • v5: Node 20 → 24 runtime (runner ≥ v2.327.1)
  • v6: Credentials stored in $RUNNER_TEMP instead of .git/config (runner ≥ v2.329.0)
  • Our usage is basic checkout with optional fetch-depth: 0. No impact on GitHub-hosted runners.

actions/setup-node (v4 → v6) ✅ No impact

  • v5: Auto-caching when packageManager field exists in package.json; Node 24 runtime
  • v6: Auto-caching narrowed to npm only (yarn/pnpm must opt in explicitly)
  • We use node-version-file: .tool-versions with yarn and don't use the cache input. Auto-caching won't kick in for yarn.

actions/cache (v4 → v5) ✅ No impact

  • v5: Node 20 → 24 runtime. No input/output changes at all.
  • We use standard path/key/restore-keys — all unchanged.

hmarr/auto-approve-action (v2 → v4) ✅ No impact

  • v3: Node 12 → 16; v4: Node 16 → 20. No input/output changes across any version.
  • Our github-token input works identically.

peter-evans/create-pull-request (v5 → v8) ✅ No impact

  • v6: Default committer/author changed; new git-token input
  • v7: git-token renamed to branch-token; pull-request-operation output returns "none" instead of empty on no-op; removed deprecated PULL_REQUEST_NUMBER env var
  • v8: Node 24 runtime
  • We explicitly set committer/author (unaffected by default change), never used git-token, use the action output pull-request-number not the env var, and our == 'created' check correctly handles the new "none" value.

peter-evans/enable-pull-request-automerge (v3 → v3.0.0) ✅ No impact

  • Already on v3, now pinned to the exact SHA. No version change.

Test plan

  • CI passes on this PR (lint, test, commitlint)
  • Verify release workflow runs correctly on next merge to main

🤖 Generated with Claude Code

@milesarmstrong @claude
build: pin GitHub Actions to commit SHAs at latest versions
cfda006 
Update all actions across CI, release, and auto-approve workflows
to be pinned to specific commit SHAs for supply chain security.

- hmarr/auto-approve-action: v2 → v4.0.0
- actions/checkout: v4 → v6.0.2
- actions/setup-node: v4 → v6.3.0
- actions/cache: v4 → v5.0.4
- peter-evans/create-pull-request: v5.0.3 → v8.1.0
- peter-evans/enable-pull-request-automerge: v3 → v3.0.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@milesarmstrong milesarmstrong requested a review from a team as a code owner April 8, 2026 08:59
@milesarmstrong milesarmstrong merged commit df8004d into main Apr 8, 2026
6 of 7 checks passed
@milesarmstrong milesarmstrong deleted the miles/pin-actions branch April 8, 2026 09:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@igorp1 igorp1 igorp1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@milesarmstrong @igorp1