Skip to content

fix: pin GitHub Actions to commit SHAs to prevent supply-chain attacks#225

Open
vinayada1 wants to merge 1 commit intoprivateerproj:mainfrom
vinayada1:sha-fix
Open

fix: pin GitHub Actions to commit SHAs to prevent supply-chain attacks#225
vinayada1 wants to merge 1 commit intoprivateerproj:mainfrom
vinayada1:sha-fix

Conversation

@vinayada1
Copy link
Copy Markdown

@vinayada1 vinayada1 commented Apr 3, 2026

Replaces mutable version tags with immutable commit SHA references for all first-party GitHub Actions (actions/checkout, actions/setup-go, actions/upload-artifact) across 5 workflow files. Dependabot is already configured for github-actions and will automatically propose SHA updates when new versions are released.

fix: pin GitHub Actions to commit SHAs to prevent supply-chain attacks
b287b40 
Signed-off-by: Vinaya Damle <vinayada@mac.lan>
@vinayada1 vinayada1 requested a review from a team as a code owner April 3, 2026 20:35
Copilot AI review requested due to automatic review settings April 3, 2026 20:35
@github-actions github-actions bot added the fix label Apr 3, 2026
Copilot AI reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions supply chain by replacing mutable action version tags with immutable commit SHAs across the affected workflows.

Changes:

  • Pin actions/checkout to a commit SHA in all impacted workflows.
  • Pin actions/setup-go to a commit SHA in CI and lint workflows.
  • Pin actions/upload-artifact to a commit SHA in the OSPS security assessment workflow.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/security-insights.yml Pins actions/checkout to an immutable commit SHA.
.github/workflows/post-merge.yml Pins actions/checkout to an immutable commit SHA.
.github/workflows/osps-security-assessment.yml Pins actions/checkout and actions/upload-artifact to immutable commit SHAs.
.github/workflows/lint.yml Pins actions/checkout and actions/setup-go to immutable commit SHAs.
.github/workflows/ci.yml Pins actions/checkout and actions/setup-go to immutable commit SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

eddie-knight
eddie-knight requested changes Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@eddie-knight eddie-knight left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good improvement, thanks @vinayada1

nacking for caution, as @jmeridth or I will need to manually verify every SHA prior to merge (complaints may be issued to GitHub who allow malicious commits to be affiliated with official repos)

@jmeridth
Copy link
Copy Markdown
Member

jmeridth commented Apr 3, 2026
edited
Loading

Thank you for doing this. I agree with this PR but for historical context these actions have immutable releases. So the content at those tags can't change. Hence them not being a priority but this is the better "visible" practice.

@vinayada1 some conflicts to fix and copilot suggestions. Some of the copilot suggestions are not correct, beware. I've handled the invalid copilot comments.

@eddie-knight eddie-knight self-requested a review April 4, 2026 01:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmeridth jmeridth jmeridth left review comments

Copilot code review Copilot Copilot left review comments

@eddie-knight eddie-knight Awaiting requested review from eddie-knight

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@vinayada1 @jmeridth @eddie-knight