[FIX] pin all GitHub Actions to commit SHAs (CVE-2026-31976)#4
[FIX] pin all GitHub Actions to commit SHAs (CVE-2026-31976)#4
Conversation
There was a problem hiding this comment.
Pull request overview
Pins previously mutable GitHub Actions references to commit SHAs and restructures the workflow to run unprivileged checks on pull_request while keeping privileged status reporting in pull_request_target.
Changes:
- Pin
actions/checkout,actions/setup-python, andactions/cachefrom version tags to commit SHAs. - Add a
pull_requesttrigger and ensurepre-commitruns only in non-privileged contexts. - Replace the curl-based status creation with a
github-scriptstep that waits for thepre-commitcheck result, then creates a commit status.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| report-status: | ||
| # Solo corre en pull_request_target para crear el commit status | ||
| # NO hace checkout — no ejecuta código del PR | ||
| if: github.event_name == 'pull_request_target' | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - | ||
| name: Create commit status | ||
| if: github.event_name == 'pull_request_target' | ||
| run: | | ||
| curl -L \ | ||
| -X POST \ | ||
| -H "Accept: application/vnd.github+json" \ | ||
| -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | ||
| -H "X-GitHub-Api-Version: 2022-11-28" \ | ||
| https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \ | ||
| -d '{"state":"${{ steps.precommit.outcome }}","context":"mergebot/pre-commit"}' \ | ||
| --fail | ||
| name: Wait for pre-commit check | ||
| uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # v6 | ||
| with: | ||
| github-token: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
report-status uses the Checks and Statuses APIs via GITHUB_TOKEN, but the workflow/job doesn't declare explicit permissions. If the repo/org default token permissions are read-only, this job will 403 when listing checks and/or creating commit statuses. Consider adding least-privilege permissions (e.g., checks: read and statuses: write) at the workflow or job level.
| pull_request: | ||
| branches: | ||
| - "1[8-9].0*" | ||
| - "[2-9][0-9].0*" |
There was a problem hiding this comment.
This workflow file is marked as generated by Copier (DO NOT EDIT... Changes here will be lost). To avoid the SHA pinning and logic split being overwritten on the next template update, the corresponding change should also be applied in the upstream template source (or whichever generator inputs produce this file).
| - | ||
| name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
PR title/description says all remaining GitHub Actions are pinned to SHAs, but this repo still has workflows using mutable tags (e.g., src/.github/workflows/cleaner.yml uses actions/github-script@v6). Either broaden the changes to cover the remaining workflows or narrow the PR title/description to reflect that only pre-commit.yml was fully pinned.
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
| with: | ||
| ref: ${{ github.event_name == 'pull_request_target' && github.event.pull_request.head.sha || github.ref }} | ||
| ref: ${{ github.event.pull_request.head.sha || github.ref }} |
There was a problem hiding this comment.
ref: ${{ github.event.pull_request.head.sha || github.ref }} will be evaluated on push events too, where github.event.pull_request is undefined, which can cause the workflow to fail during expression evaluation. Use the same short-circuit pattern as before (guard with github.event_name), or use github.sha for push and github.event.pull_request.head.sha for pull_request.
| ref: ${{ github.event.pull_request.head.sha || github.ref }} | |
| ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.sha || github.sha }} |
Pin remaining mutable action tags to exact commit SHAs to prevent supply
chain attacks via tag poisoning (CVE-2026-31976).
Previously
pre-commit/actionandactions/github-scriptwere pinned,but three actions still used mutable tags:
actions/checkout@v4@34e114876b0b11c390a56381ad16ebd13914f8d5actions/setup-python@v5@a26af69be951a213d495a4c3e4e4022e16d87065actions/cache@v4@0057852bfaa89a56745cba8c7296529d2fc39830All actions in the workflow are now pinned to a commit SHA. A compromised
or force-pushed tag can no longer silently inject malicious code into the
runner.
References: