Pin GitHub Actions to SHA references for supply chain security#122
Conversation
Co-authored-by: FidelusAleksander <63016446+FidelusAleksander@users.noreply.github.com>
|
@copilot lock to specific vX.X.X versions instead of major ones |
…jor versions Co-authored-by: FidelusAleksander <63016446+FidelusAleksander@users.noreply.github.com>
Updated all version comments to use specific patch versions (vX.X.X) instead of major versions. The SHA references remain unchanged as they already point to the specific versions:
Commit: db8f4bd |
FidelusAleksander
deleted the
copilot/update-workflows-sha-references
branch
There was a problem hiding this comment.
Pull request overview
This PR implements a security hardening measure by pinning all GitHub Actions references to specific SHA commits instead of mutable version tags (e.g., v6). This protects against supply chain attacks where action maintainers could potentially update a version tag to point to malicious code. The changes maintain readability by including version comments alongside SHA references.
Key Changes:
- All GitHub Actions workflow files updated to use SHA-pinned action references
- Version comments changed from major versions (e.g.,
v6) to specific patch versions (e.g.,v6.0.1) - Dependabot configuration already in place to keep SHA-pinned actions updated
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/ci.yml |
Updated actions/checkout, actions/setup-node, and actions/upload-artifact to use SHA references with v6.0.1, v6.1.0, and v5.0.0 version comments respectively |
.github/workflows/release-drafter.yml |
Updated actions/checkout and release-drafter/release-drafter to use SHA references with v6.0.1 and v6.1.0 version comments |
.github/workflows/labeler.yml |
Updated actions/labeler to use SHA reference with v6.0.1 version comment |
.github/workflows/test-action.yml |
Updated actions/checkout and skills/action-keyphrase-checker to use SHA references with v6.0.1 and v1.1.0 version comments |
.github/workflows/update-major-version.yml |
Updated actions/checkout to use SHA reference with v6.0.1 version comment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Plan: Update workflows to use SHA references instead of v* tags
.github/workflows/ci.ymlto use SHA references with version comments.github/workflows/release-drafter.ymlto use SHA references with version comments.github/workflows/labeler.ymlto use SHA references with version comments.github/workflows/test-action.ymlto use SHA references with version comments.github/workflows/update-major-version.ymlto use SHA references with version comments.github/dependabot.ymlto keep SHA-pinned actions up to date (already configured)Summary
Successfully updated all GitHub Actions workflows to use SHA references with specific version comments for improved security and clarity.
Actions Pinned (Updated):
actions/checkout@v6.0.1(SHA:8e8c483...)actions/setup-node@v6.1.0(SHA:395ad32...)actions/upload-artifact@v5.0.0(SHA:330a01c...)actions/labeler@v6.0.1(SHA:634933e...)release-drafter/release-drafter@v6.1.0(SHA:b1476f6...)skills/action-keyphrase-checker@v1.1.0(SHA:7f46383...)All version comments now reference specific patch versions (vX.X.X) instead of major versions (vX) for better tracking and clarity.
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.