Skip to content

[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security #150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 18, 2025
Merged

[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security #150

merged 2 commits into from
Sep 18, 2025

Conversation

@juliendoutre
Copy link
Contributor

🔒 Security Enhancement: GitHub Actions Pinning

📋 What This PR Does

This PR automatically pins GitHub Actions references from tag-based versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...) while preserving the original tag as a comment for readability.
No functional changes to your workflows - they'll work exactly the same way

🎯 Why This Matters

Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.

🤖 Keep Actions Updated with Dependabot

Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:

Create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "chore"
      include: "scope"

This will:

  • 🔄 Check for action updates weekly
  • 📬 Create PRs automatically when newer versions are available
  • 🏷️ Update both the SHA hash and the comment with the new tag
  • 🎯 Keep your actions secure AND up-to-date

🤝 Questions or Concerns?

For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.

This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.

@juliendoutre juliendoutre requested a review from a team as a code owner August 18, 2025 11:48
eliottness
eliottness requested changes Aug 18, 2025
View reviewed changes
Copy link
Contributor

@eliottness eliottness left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to put repositories like DataDog/dd-trace-go in a whitelist ?

.github/workflows/test.yml Outdated
if: "!contains(github.event.pull_request.labels.*.name, 'skip-smoke-tests')"
name: Smoke Tests
uses: DataDog/dd-trace-go/.github/workflows/smoke-tests.yml@main
uses: DataDog/dd-trace-go/.github/workflows/smoke-tests.yml@9987c40fded9bb795b7ac0e11e5ed93dc8aa94a3 # main
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is used for cross-validation between repositories we own and trust. Pinning it make it lose it's meaning for us and for the nightly

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got you, I will edit the PR to remove this specific hash from the changes. Thanks for flagging!

@juliendoutre
Copy link
Contributor Author

/merge

@dd-devflow-routing-codex
Copy link

dd-devflow-routing-codex bot commented Aug 18, 2025
edited
Loading

View all feedbacks in Devflow UI.

2025-08-18 13:25:41 UTC ℹ️ Start processing command /merge

2025-08-18 13:25:57 UTC ℹ️ MergeQueue: waiting for PR to be ready

This merge request is not mergeable yet, because of pending checks/missing approvals. It will be added to the queue as soon as checks pass and/or get approvals.
Note: if you pushed new commits since the last approval, you may need additional approval.
You can remove it from the waiting list with /remove command.

2025-08-18 17:26:11 UTC ⚠️ MergeQueue: This merge request was unqueued

devflow unqueued this merge request: It did not become mergeable within the expected time

@eliottness eliottness force-pushed the pin-github-actions-1755517715 branch from 4b5b513 to 8f193c2 Compare September 18, 2025 08:19
@eliottness eliottness merged commit 43e55d4 into main Sep 18, 2025
107 checks passed
@eliottness eliottness deleted the pin-github-actions-1755517715 branch September 18, 2025 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eliottness eliottness eliottness approved these changes

Assignees

No one assigned

Labels

mergequeue-status: removed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juliendoutre @eliottness