Skip to content

ci: pin third-party actions to commit SHAs#362

Open
postalservice14 wants to merge 1 commit into
anothrNick:masterfrom
postalservice14:ci/pin-actions-to-sha
Open

ci: pin third-party actions to commit SHAs#362
postalservice14 wants to merge 1 commit into
anothrNick:masterfrom
postalservice14:ci/pin-actions-to-sha

Conversation

@postalservice14

Copy link
Copy Markdown

Summary of changes

Pins every third-party GitHub Action used in the lint, test and main (release)
workflows to a full commit SHA, keeping the human-readable version in a trailing comment:

  • actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
  • reviewdog/action-shellcheck@v1@4c07458293ac342d477251099501a718ae5ef86e # v1
  • reviewdog/action-hadolint@v1@921946a7ebaaf08ac72607bad67209f4e52b5407 # v1
  • reviewdog/action-actionlint@v1@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # v1
  • bats-core/bats-action@3.0.1@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
  • softprops/action-gh-release@v2.0.0@a6c7483a42ee9d5daced968f6c217562cd680f7f # v2.0.0

Tag and branch refs are mutable; pinning to commit SHAs is GitHub's
recommended hardening
and guards against supply-chain compromise such as the reviewdog incident (#336).

The local uses: ./ self-references and anothrNick/github-tag-action@master are left
as-is (intentional per the comments in main.yml).

Breaking Changes

Do any of the included changes break current behaviour or configuration?

NO — CI-only. No change to entrypoint.sh, action.yml or Dockerfile. Versions are
preserved, not upgraded (e.g. softprops is pinned to the existing 2.0.0 SHA).

How changes have been tested

  • Re-resolved each SHA from its current tag via the GitHub API immediately before pinning.
  • Ran actionlint locally: the only findings are pre-existing shellcheck notes inside the
    test.yml inline script (SC2086 etc.) — none are on the changed uses: lines and none
    are introduced by this PR.

List any unknowns

Tag and branch refs are mutable; pinning third-party actions to full commit
SHAs (with the version preserved in a trailing comment) follows GitHub's
recommended hardening and guards against supply-chain compromise such as the
reviewdog incident. CI-only, no change to entrypoint.sh behavior. Existing
versions are preserved (softprops pinned to the 2.0.0 SHA, not bumped).
Addresses anothrNick#336.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant