Skip to content

Pin GitHub Actions to commit SHAs#779

Open
necolas wants to merge 2 commits into
nicolas/ci-fixesfrom
nicolas/ci-pinned-actions
Open

Pin GitHub Actions to commit SHAs#779
necolas wants to merge 2 commits into
nicolas/ci-fixesfrom
nicolas/ci-pinned-actions

Conversation

@necolas
Copy link
Copy Markdown
Contributor

@necolas necolas commented Jun 5, 2026

Pins every third-party action to a full commit SHA and adds the tooling to keep that policy fresh and enforced. A version tag like @v4 is mutable and whoever controls the action can repoint it at new code; SHA pinning is
a way to mitigate supply-chain risks of actions we don't own.

Changes

  • Pin all external actions to SHAs (checkout, upload/download-artifact,
    cache, setup-bun, stickydisk), each annotated with its # vX.Y.Z.
  • Dependabot (github-actions, weekly, grouped) opens a single PR to bump
    the SHAs and their version comments. Uses directories with a /.github/actions/*
    glob so the CI workflows and every local composite action are covered.
  • actions-pinned CI job fails any change that introduces an external
    action referenced by tag/branch instead of a 40-char SHA (local ./ actions
    exempt), so the policy can't silently regress.

Notes

  • The pinning behavior is unchanged from the version tags — SHAs were resolved
    from each action's current release.
  • After merge: add Actions pinned to SHA to the main branch-protection
    required checks so the guard blocks rather than just advises. Dependabot only
    activates once dependabot.yml is on the default branch.

necolas added 2 commits June 4, 2026 18:55
@necolas
[ci] Pin third-party actions to commit SHAs
034a665 
Pin every external action (checkout, upload/download-artifact, cache,
setup-bun, stickydisk) to a full commit SHA with a trailing version
comment, so a moved tag can't silently change what runs in CI. SHAs were
resolved from each action's published release tags.
@necolas
[ci] Keep action pins fresh and enforce them
6116545 
Add a Dependabot github-actions config that opens grouped weekly PRs to
bump the pinned SHAs and their version comments. It needs two entries
because directory:/ only scans .github/workflows; the second covers the
shared composite at .github/actions/setup.

Add an actions-pinned CI job that fails any change introducing an
external action referenced by a tag or branch instead of a full commit
SHA (local ./ actions are exempt), so the pinning policy can't silently
regress.
@necolas necolas requested review from SlexAxton and mdo June 5, 2026 02:39
@vercel
Copy link
Copy Markdown

vercel Bot commented Jun 5, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pierre-docs-diffs Ready Ready Preview Jun 5, 2026 2:39am
pierre-docs-diffshub Ready Ready Preview Jun 5, 2026 2:39am
pierre-docs-trees Ready Ready Preview Jun 5, 2026 2:39am
pierrejs-diff-demo Ready Ready Preview Jun 5, 2026 2:39am

Request Review

@necolas necolas changed the title Nicolas/ci pinned actions Pin GitHub Actions to commit SHAs Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SlexAxton SlexAxton Awaiting requested review from SlexAxton

@mdo mdo Awaiting requested review from mdo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@necolas