Skip to content

Pin GitHub Action references to commit SHAs#162

Merged
thpierce merged 1 commit intomainfrom
pin-github-actions-sha
Mar 17, 2026
Merged

Pin GitHub Action references to commit SHAs#162
thpierce merged 1 commit intomainfrom
pin-github-actions-sha

Conversation

@thpierce
Copy link
Copy Markdown
Contributor

@thpierce thpierce commented Mar 17, 2026
edited
Loading

Summary

Pin all GitHub Action references to full commit SHAs instead of mutable version tags to prevent supply chain attacks. This is a security best practice recommended by GitHub's security hardening guide.

Mutable version tags (e.g. @v2) can be moved to point to different commits, meaning a compromised upstream action could execute malicious code in our workflows. Pinning to commit SHAs ensures we always run the exact code we've reviewed.

Related: apm-telegen-3022

Changes

Old Reference New Reference Hash Version
actions/cache@v3 actions/cache@6f8efc2 6f8efc29b200d32929f49075959781ed54ec270c v3.5.0
actions/checkout@v3 actions/checkout@f43a0e5 f43a0e5ff2bd294095638e18286ca9a3d1956744 v3.6.0
actions/checkout@v4 actions/checkout@34e1148 34e114876b0b11c390a56381ad16ebd13914f8d5 v4.3.1
actions/stale@v7 actions/stale@6f05e42 6f05e4244c9a0b2ed3401882b05d701dd0a7289b v7.0.0
aws-actions/configure-aws-credentials@v1 aws-actions/configure-aws-credentials@67fbcbb 67fbcbb121271f7775d2e7715933280b06314838 v1.7.0
aws-actions/configure-aws-credentials@v4 aws-actions/configure-aws-credentials@7474bc4 7474bc4690e29a8392af63c5b98e7449536d5c3a v4.3.1
benchmark-action/github-action-benchmark@v1 benchmark-action/github-action-benchmark@a7bc236 a7bc2366eda11037936ea57d811a43b3418d3073 v1.21.0
docker/build-push-action@v3 docker/build-push-action@1104d47 1104d471370f9806843c095c1db02b5a90c5f8b6 v3.3.1
docker/login-action@v2 docker/login-action@465a078 465a07811f14bebb1938fbed4728c6a1ff8901fc v2.2.0
docker/setup-buildx-action@v2 docker/setup-buildx-action@885d146 885d1462b80bc1c1c7f0b00334ad271f09369c55 v2.10.0
github/codeql-action/analyze@v2 github/codeql-action@b8d3b6e b8d3b6e8af63cde30bdc382c0bc28114f4346c88 v2.28.1
github/codeql-action/autobuild@v2 github/codeql-action@b8d3b6e b8d3b6e8af63cde30bdc382c0bc28114f4346c88 v2.28.1
github/codeql-action/init@v2 github/codeql-action@b8d3b6e b8d3b6e8af63cde30bdc382c0bc28114f4346c88 v2.28.1
JasonEtco/create-an-issue@v2 JasonEtco/create-an-issue@1b14a70 1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 v2.9.2
ruby/setup-ruby@v1.221.0 ruby/setup-ruby@32110d4 32110d4e311bd8996b2a82bf2a43b714ccc91777 v1.221.0

Static Code Check

Added a static-code-checks job to pr-build.yml that will fail PRs introducing mutable GitHub Action version references.

@thpierce thpierce requested a review from a team as a code owner March 17, 2026 21:17
@thpierce thpierce merged commit e999151 into main Mar 17, 2026
5 of 6 checks passed
@thpierce thpierce deleted the pin-github-actions-sha branch March 17, 2026 21:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wangzlei wangzlei wangzlei approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thpierce @wangzlei