Skip to content

ci: pin actions to SHAs and add dependabot#260

Merged
korbinian90 merged 1 commit into
mainfrom
ci/pin-actions-shas
Jun 23, 2026
Merged

ci: pin actions to SHAs and add dependabot#260
korbinian90 merged 1 commit into
mainfrom
ci/pin-actions-shas

Conversation

@korbinian90

@korbinian90 korbinian90 commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

What

Pin every external GitHub Action in .github/workflows/ from a moving tag (uses: owner/action@v6) to a full 40-char commit SHA, with the version tag preserved as a trailing comment:

uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
  • 110 references pinned across 13 workflow files.
  • SHAs resolved via git ls-remote (annotated tags dereferenced with ^{} to the underlying commit) and each verified to be exactly 40 hex chars.
  • The local reusable-workflow ref uses: ./.github/workflows/release_desktop.yml is intentionally left unpinned (local refs aren't pinnable).

Why

A version tag can be silently repointed at malicious code; a commit SHA cannot. This is the GitHub-recommended hardening for third-party actions and closes a supply-chain gap.

Dependabot

.github/dependabot.yml already declares the github-actions ecosystem on a weekly schedule, so no change was needed there. Dependabot understands SHA pins and will bump the SHA + the trailing version comment together, keeping the pins current.

Verification

  • All 13 workflow YAML files re-parse cleanly after the edit.
  • Diff is a strict 1:1 line swap (110 insertions / 110 deletions) — no indentation, with:, if:, or permission keys touched.
  • Reviewed by a read-only review pass for SHA-format, comment-tag correctness, and over-broad replacement.

🤖 Generated with Claude Code

@korbinian90 @claude
ci: pin GitHub Actions to commit SHAs
a4f6246 
Pin every external `uses: owner/action@tag` in .github/workflows/ to a
full 40-char commit SHA, keeping the version tag as a trailing comment so
humans and Dependabot can still read the intended version.

SHA pinning is the GitHub-recommended hardening for third-party actions:
a moving tag can be repointed at malicious code, a commit SHA cannot.

dependabot.yml already declares the github-actions ecosystem (weekly),
so it will keep these pins current by bumping the SHA + comment together.
No dependabot change needed.

Local reusable-workflow ref (./.github/workflows/release_desktop.yml) is
left as-is; only external references are pinned.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-actions Bot added a commit that referenced this pull request Jun 23, 2026
@github-actions
Deploy PR #260 preview 222a5f2
dc20485
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🚀 PWA Preview Deployment

Your PWA preview has been deployed!

Preview URL: https://niivue.github.io/niivue-vscode/pr-260/

This preview will be updated automatically when you push new commits to this PR.

@korbinian90 korbinian90 merged commit 8549a73 into main Jun 23, 2026
12 checks passed
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

🧹 PWA Preview Cleanup

The preview deployment for this PR has been removed.

github-actions Bot added a commit that referenced this pull request Jun 23, 2026
@github-actions
Remove preview for closed PR #260
5084f9c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@korbinian90