Skip to content

Commit 87857e4

Browse files
slawomirbabiczyhabib
slawomirbabicz
and
yhabib
authored
chore: pin GitHub Actions to commit SHAs (#7813)
## Pin GitHub Actions to commit SHAs GitHub Actions referenced by tag (e.g. `actions/checkout@v4`) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066). Pinning to a full 40-character commit SHA makes the reference immutable. The `# tag` comment preserves human readability so reviewers can tell which version is pinned. Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork). ### Changes - `actions/checkout@v6` -> `actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2` - Version: v6.0.2 | Latest: v6.0.2 | Release age: 88d - Commit: actions/checkout@de0fac2 - `actions/upload-artifact@v7` -> `actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7` - Version: v7 | Latest: v3.2.2 | Release age: 22d - Commit: actions/upload-artifact@bbbca2d - `actions/download-artifact@v8` -> `actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1` - Version: v8.0.1 | Latest: v3.1.0-node20 | Release age: 22d - Commit: actions/download-artifact@3e5f45b - Warnings: 1 security advisory(ies) found, Action has 1 known advisory(ies) - `dfinity/setup-dfx@main` -> `dfinity/setup-dfx@e50c04f104ee4285ec010f10609483cf41e4d365 # main` - Version: main | Latest: ? | Release age: ? - Commit: dfinity/setup-dfx@e50c04f - `actions/setup-go@v6` -> `actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0` - Version: v6.4.0 | Latest: v6.4.0 | Release age: 9d - Commit: actions/setup-go@4a36011 - `docker/setup-buildx-action@v4` -> `docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4` - Version: v4 | Latest: v4.0.0 | Release age: 34d - Commit: docker/setup-buildx-action@4d04d5d - `docker/build-push-action@v7` -> `docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7` - Version: v7 | Latest: v7.0.0 | Release age: 33d - Commit: docker/build-push-action@d08e5c3 - `actions/setup-node@v6` -> `actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0` - Version: v6.3.0 | Latest: v6.3.0 | Release age: 35d - Commit: actions/setup-node@53b8394 - `actions/cache@v5` -> `actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4` - Version: v5.0.4 | Latest: v5.0.4 | Release age: 20d - Commit: actions/cache@6682284 - `dfinity/internet-identity/.github/actions/slack@release-2023-08-28` -> `dfinity/internet-identity/.github/actions/slack@b278eab440b6adfcb561f18fe24bdea66c1987c3 # release-2023-08-28` - Version: release-2023-08-28 | Latest: release-2026-04-03 | Release age: 11d - Commit: dfinity/internet-identity@b278eab - Warnings: Latest release release-2026-04-03 is only 5 day(s) old (< 7 days). Using previous safe release., 3 security advisory(ies) found, Action has 3 known advisory(ies) - `actions/create-github-app-token@v2` -> `actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2` - Version: v2.2.2 | Latest: v3.0.0 | Release age: 25d - Commit: actions/create-github-app-token@fee1f7d - `peter-evans/create-pull-request@v8` -> `peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0` - Version: v8.1.0 | Latest: v8.1.0 | Release age: 76d - Commit: peter-evans/create-pull-request@c0f553f ### Files modified - `.github/workflows/build.yml` - `.github/workflows/checks.yml` - `.github/workflows/deploy-to-app.yaml` - `.github/workflows/docker-main.yaml` - `.github/workflows/nightly.yaml` - `.github/workflows/reproducible.yaml` - `.github/workflows/tag.yaml` - `.github/workflows/update-aggregator.yml` - `.github/workflows/update-didc.yml` - `.github/workflows/update-ic-cargo-deps.yaml` - `.github/workflows/update-next.yml` - `.github/workflows/update-rust.yml` - `.github/workflows/update-sns-aggregator-response.yml` - `.github/workflows/update-snsdemo.yml` ### Security warnings - 1 security advisory(ies) found - Action has 1 known advisory(ies) - Latest release release-2026-04-03 is only 5 day(s) old (< 7 days). Using previous safe release. - 3 security advisory(ies) found - Action has 3 known advisory(ies) --------- Co-authored-by: Yusef Habib <yusef.fernandez@dfinity.org>
1 parent 2293b8c commit 87857e4

14 files changed

+104
-104
lines changed

.github/workflows/build.yml

Lines changed: 36 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626
GH_TOKEN: ${{ github.token }}
2727
steps:
2828
- name: Checkout nns-dapp
29-
uses: actions/checkout@v6
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3030
- name: Skip build for testing
3131
# Set to true and set a recent `run_id` below to reuse an existing build
3232
# instead of building.
@@ -45,31 +45,31 @@ jobs:
4545
with:
4646
token: ${{ secrets.GITHUB_TOKEN }}
4747
- name: 'Upload nns-dapp wasm module'
48-
uses: actions/upload-artifact@v7
48+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
4949
with:
5050
name: nns-dapp
5151
path: out/nns-dapp.wasm.gz
5252
retention-days: 3
5353
- name: 'Upload nns-dapp test wasm module'
54-
uses: actions/upload-artifact@v7
54+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
5555
with:
5656
name: nns-dapp_test
5757
path: out/nns-dapp_test.wasm.gz
5858
retention-days: 3
5959
- name: 'Upload sns_aggregator wasm module'
60-
uses: actions/upload-artifact@v7
60+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
6161
with:
6262
name: sns_aggregator
6363
path: out/sns_aggregator.wasm.gz
6464
retention-days: 3
6565
- name: 'Upload sns_aggregator_dev wasm module'
66-
uses: actions/upload-artifact@v7
66+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
6767
with:
6868
name: sns_aggregator_dev
6969
path: out/sns_aggregator_dev.wasm.gz
7070
retention-days: 3
7171
- name: 'Upload whole out directory'
72-
uses: actions/upload-artifact@v7
72+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
7373
with:
7474
name: out
7575
path: out
@@ -80,7 +80,7 @@ jobs:
8080
timeout-minutes: 30
8181
steps:
8282
- name: Checkout nns-dapp
83-
uses: actions/checkout@v6
83+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8484
- name: Run Playwright e2e test shard 1/2
8585
uses: ./.github/actions/test-e2e
8686
with:
@@ -92,7 +92,7 @@ jobs:
9292
timeout-minutes: 30
9393
steps:
9494
- name: Checkout nns-dapp
95-
uses: actions/checkout@v6
95+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
9696
- name: Run Playwright e2e test shard 2/2
9797
uses: ./.github/actions/test-e2e
9898
with:
@@ -104,17 +104,17 @@ jobs:
104104
timeout-minutes: 40
105105
steps:
106106
- name: Checkout nns-dapp
107-
uses: actions/checkout@v6
107+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
108108
- name: Get nns-dapp_test
109109
# Note: This may be performed manually with ./scripts/docker-build --network local
110-
uses: actions/download-artifact@v8
110+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
111111
with:
112112
name: out
113113
path: out
114114
- name: Install ic-wasm
115115
uses: ./.github/actions/install_ic_wasm
116116
- name: Install dfx
117-
uses: dfinity/setup-dfx@main
117+
uses: dfinity/setup-dfx@e50c04f104ee4285ec010f10609483cf41e4d365 # main
118118
- name: Install tools
119119
run: |
120120
sudo apt-get update -yy && sudo apt-get install -yy moreutils && command -v sponge
@@ -127,16 +127,16 @@ jobs:
127127
timeout-minutes: 40
128128
steps:
129129
- name: Checkout nns-dapp
130-
uses: actions/checkout@v6
130+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
131131
- name: Get nns-dapp_test
132-
uses: actions/download-artifact@v8
132+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
133133
with:
134134
name: out
135135
path: out
136136
- name: Install ic-wasm
137137
uses: ./.github/actions/install_ic_wasm
138138
- name: Install dfx
139-
uses: dfinity/setup-dfx@main
139+
uses: dfinity/setup-dfx@e50c04f104ee4285ec010f10609483cf41e4d365 # main
140140
- name: Install tools
141141
run: |
142142
sudo apt-get update -yy && sudo apt-get install -yy moreutils && command -v sponge
@@ -147,7 +147,7 @@ jobs:
147147
run: ./scripts/nns-dapp/migration-test --accounts 1000 --chunk 100
148148
- name: Upload dfx logs
149149
if: failure()
150-
uses: actions/upload-artifact@v7
150+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
151151
with:
152152
name: test-upgrade-stable-dfx.log
153153
path: test-upgrade-stable-dfx.log
@@ -157,9 +157,9 @@ jobs:
157157
timeout-minutes: 40
158158
steps:
159159
- name: Checkout nns-dapp
160-
uses: actions/checkout@v6
160+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
161161
- name: Get nns-dapp_test
162-
uses: actions/download-artifact@v8
162+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
163163
with:
164164
name: nns-dapp_test
165165
- name: Start empty nns-dapp
@@ -177,17 +177,17 @@ jobs:
177177
timeout-minutes: 40
178178
steps:
179179
- name: Checkout nns-dapp
180-
uses: actions/checkout@v6
180+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
181181
- name: Get nns-dapp
182-
uses: actions/download-artifact@v8
182+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
183183
with:
184184
name: nns-dapp
185185
- name: Get sns_aggregator
186-
uses: actions/download-artifact@v8
186+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
187187
with:
188188
name: sns_aggregator
189189
- name: Get sns_aggregator_dev
190-
uses: actions/download-artifact@v8
190+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
191191
with:
192192
name: sns_aggregator_dev
193193
- name: Start snapshot environment
@@ -197,7 +197,7 @@ jobs:
197197
sns_aggregator_wasm: 'sns_aggregator_dev.wasm.gz'
198198
logfile: 'dfx-test-rest.log'
199199
- name: Setup Go
200-
uses: actions/setup-go@v6
200+
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
201201
with:
202202
go-version: '1.25'
203203
- name: Add go and SNS scripts to the path
@@ -297,7 +297,7 @@ jobs:
297297
timeout-minutes: 45
298298
steps:
299299
- name: Checkout nns-dapp
300-
uses: actions/checkout@v6
300+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
301301
with:
302302
fetch-depth: 0
303303
- name: Check dockerfile for changes
@@ -309,12 +309,12 @@ jobs:
309309
fi
310310
- name: Set up docker buildx
311311
if: steps.dockerfile_changed.outputs.dockerfile_changed == 'true'
312-
uses: docker/setup-buildx-action@v4
312+
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
313313
- name: Create a blank global config
314314
run: echo "{}" > global-config.json
315315
- name: Build wasms
316316
if: steps.dockerfile_changed.outputs.dockerfile_changed == 'true'
317-
uses: docker/build-push-action@v7
317+
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
318318
with:
319319
context: .
320320
file: Dockerfile
@@ -326,19 +326,19 @@ jobs:
326326
outputs: ./out-mainnet
327327
- name: Get nns-dapp
328328
if: steps.dockerfile_changed.outputs.dockerfile_changed == 'true'
329-
uses: actions/download-artifact@v8
329+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
330330
with:
331331
name: nns-dapp
332332
path: out-local
333333
- name: Get sns_aggregator
334334
if: steps.dockerfile_changed.outputs.dockerfile_changed == 'true'
335-
uses: actions/download-artifact@v8
335+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
336336
with:
337337
name: sns_aggregator
338338
path: out-local
339339
- name: Get sns_aggregator_dev
340340
if: steps.dockerfile_changed.outputs.dockerfile_changed == 'true'
341-
uses: actions/download-artifact@v8
341+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
342342
with:
343343
name: sns_aggregator_dev
344344
path: out-local
@@ -363,9 +363,9 @@ jobs:
363363
timeout-minutes: 60
364364
steps:
365365
- name: Checkout nns-dapp
366-
uses: actions/checkout@v6
366+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
367367
- name: Get sns_aggregator_dev
368-
uses: actions/download-artifact@v8
368+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
369369
with:
370370
name: sns_aggregator_dev
371371
- name: Start snapshot environment
@@ -467,9 +467,9 @@ jobs:
467467
needs: build
468468
runs-on: ubuntu-22.04
469469
steps:
470-
- uses: actions/checkout@v6
470+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
471471
- name: Get docker build outputs
472-
uses: actions/download-artifact@v8
472+
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
473473
with:
474474
name: out
475475
path: out
@@ -478,7 +478,7 @@ jobs:
478478
- name: 'Record the git commit and any tags'
479479
run: git log | head -n1 > out/commit.txt
480480
- name: 'Upload ${{ matrix.BUILD_NAME }} nns-dapp wasm module'
481-
uses: actions/upload-artifact@v7
481+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
482482
with:
483483
name: nns-dapp for ${{ matrix.BUILD_NAME }}
484484
path: |
@@ -489,7 +489,7 @@ jobs:
489489
out/frontend-config.sh
490490
out/deployment-config.json
491491
- name: 'Upload sns_aggregator wasm module'
492-
uses: actions/upload-artifact@v7
492+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
493493
with:
494494
name: sns_aggregator for ${{ matrix.BUILD_NAME }}
495495
path: |
@@ -501,7 +501,7 @@ jobs:
501501
assets_dir: 'out'
502502
token: ${{ secrets.GITHUB_TOKEN }}
503503
- name: 'Upload frontend assets'
504-
uses: actions/upload-artifact@v7
504+
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
505505
with:
506506
name: NNS frontend assets
507507
path: |
@@ -538,7 +538,7 @@ jobs:
538538
if: ${{ always() }}
539539
runs-on: ubuntu-22.04
540540
steps:
541-
- uses: actions/checkout@v6
541+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
542542
- uses: ./.github/actions/needs_success
543543
with:
544544
needs: '${{ toJson(needs) }}'

0 commit comments

Comments
 (0)