ci: pin all GitHub Actions to full-length commit SHAs#2122
Merged
Conversation
Pin every action reference to an immutable 40-char commit SHA with a trailing version comment, hardening against supply-chain attacks via mutable tags. Dependabot keeps both the SHA and comment up to date.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions supply chain by replacing all tag/branch-based uses: references in workflows with immutable 40-character commit SHAs, annotated with the corresponding action version comment. This aligns with GitHub/OpenSSF recommendations and reduces the risk of upstream tag/branch retargeting.
Changes:
- Pinned all
uses:action references across workflows to full-length commit SHAs with trailing# vX.Y.Zcomments. - Replaced
pypa/gh-action-pypi-publish@release/v1with a pinned SHA (keeping trusted publishing semantics while removing the mutable ref). - Ensured no remaining
@v*or@mainaction references exist in.github/workflows/*(verified), and spot-verified tags resolve to the pinned SHAs for the updated actions.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test.yml | Pins checkout/setup-python/setup-uv actions to immutable SHAs. |
| .github/workflows/release.yml | Pins workflow actions and replaces PyPI publish action branch ref with a SHA. |
| .github/workflows/release-drafter.yml | Pins release-drafter action to a SHA with version comment. |
| .github/workflows/pr-labeler.yml | Pins PR labeler action to a SHA with version comment. |
| .github/workflows/lint.yaml | Pins checkout/setup-python/setup-uv actions to immutable SHAs. |
| .github/workflows/generate-enums.yml | Pins actions including create-pull-request to an immutable SHA. |
| .github/workflows/docs.yml | Pins workflow actions including Pages upload/deploy actions to SHAs. |
| .github/workflows/codeql.yml | Pins checkout and CodeQL init/analyze actions to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pin every action reference across all 8 workflow files to an immutable 40-char commit SHA, each with a trailing `# vX.Y.Z` comment.
Why
A tag like `@v6` is a mutable pointer — whoever controls the action's repo can re-point it at malicious code, which every run then picks up silently. Pinning to a full SHA makes the reference immutable (GitHub / OpenSSF Scorecard hardening recommendation). Highest blast radius here: `pypa/gh-action-pypi-publish` (PyPI trusted publishing) and `peter-evans/create-pull-request` (write-token PR creation).
Notes
Follow-up
After merge, enable the repo setting "Require actions to be pinned to a full-length commit SHA" to prevent any future unpinned ref from being reintroduced. (Enabling it before merge would break CI, since it rejects tag/branch refs.)