Skip to content

BAU: Ensure that actions are pinned to SHAs#1806

Merged
whi-tw merged 3 commits into
mainfrom
whi-tw/require-pinned-gha
Nov 11, 2025
Merged

BAU: Ensure that actions are pinned to SHAs#1806
whi-tw merged 3 commits into
mainfrom
whi-tw/require-pinned-gha

Conversation

@whi-tw
Copy link
Copy Markdown
Contributor

@whi-tw whi-tw commented Oct 21, 2025

What problem does this pull request solve?

This will flag that non-sha-pinned actions are present in workflows. SHA-pinning is advised in GDS-way.

Copilot AI review requested due to automatic review settings October 21, 2025 14:26
Copilot AI reviewed Oct 21, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a new workflow to enforce SHA-pinned GitHub Actions across all workflow files, aligning with GDS security standards that recommend pinning actions to specific commit SHAs rather than tags.

Key Changes:

  • New workflow triggers on PR events when workflow files are modified
  • Uses a third-party action to validate that all GitHub Actions are pinned to commit SHAs

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented Oct 21, 2025
edited
Loading

💰 Infracost report

This pull request is aligned with your company's FinOps policies and the Well-Architected Framework.

Monthly estimate generated
Estimate details (includes details of unsupported resources and skipped projects due to errors) 
──────────────────────────────────
Project: forms-health-dev
Module path: infra/deployments/forms/health
Errors:
 Error loading Terraform modules:
  could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
   /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
    Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-production
Module path: infra/deployments/forms/health
Errors:
 Error loading Terraform modules:
  could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
   /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
    Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-staging
Module path: infra/deployments/forms/health
Errors:
 Error loading Terraform modules:
  could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
   /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
    Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
Project: forms-health-user-research
Module path: infra/deployments/forms/health
Errors:
 Error loading Terraform modules:
  could not load modules for path /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health failed to parse file /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf diag:
   /home/runner/work/forms-deploy/forms-deploy/infra/deployments/forms/health/alerts/variables.tf:32,90-91:
    Missing argument separator; A comma is required to separate each function argument from the next., and 1 other diagnostic(s)

──────────────────────────────────
──────────────────────────────────
57 projects have no cost estimate changes.
Run the following command to see their breakdown: infracost breakdown --path=/path/to/code

──────────────────────────────────
3790 cloud resources were detected:
∙ 739 were estimated
∙ 3021 were free
∙ 30 are not supported yet, see https://infracost.io/requested-resources:
  ∙ 26 x aws_codepipeline
  ∙ 4 x aws_guardduty_malware_protection_plan
This comment will be updated when code changes.

@whi-tw whi-tw force-pushed the whi-tw/require-pinned-gha branch 7 times, most recently from 7cae99d to 62c98f2 Compare October 21, 2025 15:12
@whi-tw whi-tw requested a review from lfdebrux October 21, 2025 15:14
cadmiumcat
cadmiumcat previously approved these changes Nov 6, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@cadmiumcat cadmiumcat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thankles

@whi-tw whi-tw force-pushed the whi-tw/require-pinned-gha branch 3 times, most recently from 6b32d28 to 4b96bd2 Compare November 6, 2025 12:57
@whi-tw whi-tw requested a review from cadmiumcat November 6, 2025 15:38
lfdebrux
lfdebrux reviewed Nov 7, 2025
View reviewed changes
Comment thread .github/workflows/require-pinned-github-actions.yml Outdated
@whi-tw whi-tw force-pushed the whi-tw/require-pinned-gha branch 2 times, most recently from 368503a to dc122d3 Compare November 11, 2025 15:31
cadmiumcat
cadmiumcat previously approved these changes Nov 11, 2025
View reviewed changes
@whi-tw whi-tw force-pushed the whi-tw/require-pinned-gha branch from dc122d3 to 3e11d35 Compare November 11, 2025 15:43
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Nov 11, 2025

Warning

You are changing the Terraform version.

Before you merge this PR, you must apply the forms/pipelines
Terraform root from this branch in each of the forms environments.

make ENV forms/pipelines apply

@whi-tw whi-tw enabled auto-merge November 11, 2025 15:44
@whi-tw whi-tw merged commit 2ee1047 into main Nov 11, 2025
22 checks passed
@whi-tw whi-tw deleted the whi-tw/require-pinned-gha branch November 11, 2025 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lfdebrux lfdebrux lfdebrux left review comments

Copilot code review Copilot Copilot left review comments

@cadmiumcat cadmiumcat cadmiumcat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@whi-tw @lfdebrux @cadmiumcat