Skip to content

Pin GitHub Actions to commit SHAs#779

Merged
necolas merged 2 commits into
mainfrom
nicolas/ci-pinned-actions
Jun 6, 2026
Merged

Pin GitHub Actions to commit SHAs#779
necolas merged 2 commits into
mainfrom
nicolas/ci-pinned-actions

Conversation

@necolas

@necolas necolas commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Pins every third-party action to a full commit SHA and adds the tooling to keep that policy fresh and enforced. A version tag like @v4 is mutable and whoever controls the action can repoint it at new code; SHA pinning is
a way to mitigate supply-chain risks of actions we don't own.

Changes

  • Pin all external actions to SHAs (checkout, upload/download-artifact,
    cache, setup-bun, stickydisk), each annotated with its # vX.Y.Z.
  • Dependabot (github-actions, weekly, grouped) opens a single PR to bump
    the SHAs and their version comments. Uses directories with a /.github/actions/*
    glob so the CI workflows and every local composite action are covered.
  • actions-pinned CI job fails any change that introduces an external
    action referenced by tag/branch instead of a 40-char SHA (local ./ actions
    exempt), so the policy can't silently regress.

Notes

  • The pinning behavior is unchanged from the version tags — SHAs were resolved
    from each action's current release.
  • After merge: add Actions pinned to SHA to the main branch-protection
    required checks so the guard blocks rather than just advises. Dependabot only
    activates once dependabot.yml is on the default branch.

@necolas necolas requested review from SlexAxton and mdo June 5, 2026 02:39
@vercel

vercel Bot commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
pierre-docs-diffs Ready Ready Preview Jun 6, 2026 1:07am
pierre-docs-diffshub Ready Ready Preview Jun 6, 2026 1:07am
pierre-docs-trees Ready Ready Preview Jun 6, 2026 1:07am
pierrejs-diff-demo Ready Ready Preview Jun 6, 2026 1:07am

Request Review

@necolas necolas changed the title Nicolas/ci pinned actions Pin GitHub Actions to commit SHAs Jun 5, 2026
Base automatically changed from nicolas/ci-fixes to main June 5, 2026 18:32
necolas added 2 commits June 5, 2026 18:05
@necolas
[ci] Pin third-party actions to commit SHAs
d6bad2c 
Pin every external action (checkout, upload/download-artifact, cache,
setup-bun, stickydisk) to a full commit SHA with a trailing version
comment, so a moved tag can't silently change what runs in CI. SHAs were
resolved from each action's published release tags.
@necolas
[ci] Keep action pins fresh and enforce them
e535426 
Add a Dependabot github-actions config that opens grouped weekly PRs to
bump the pinned SHAs and their version comments. It needs two entries
because directory:/ only scans .github/workflows; the second covers the
shared composite at .github/actions/setup.

Add an actions-pinned CI job that fails any change introducing an
external action referenced by a tag or branch instead of a full commit
SHA (local ./ actions are exempt), so the pinning policy can't silently
regress.
@necolas necolas force-pushed the nicolas/ci-pinned-actions branch from 6116545 to e535426 Compare June 6, 2026 01:06
@necolas

necolas commented Jun 6, 2026

Copy link
Copy Markdown
Contributor Author

Rebased on main and fixed format error

@necolas necolas merged commit af02e6d into main Jun 6, 2026
13 checks passed
@necolas necolas deleted the nicolas/ci-pinned-actions branch June 6, 2026 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mdo mdo mdo approved these changes

@SlexAxton SlexAxton Awaiting requested review from SlexAxton

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@necolas @mdo