Skip to content

Pin GitHub Actions to full-length commit SHAs#2748

Open
OssSecurityBot wants to merge 1 commit into
microsoft:mainfrom
OssSecurityBot:oss-security-bot/pin-actions
Open

Pin GitHub Actions to full-length commit SHAs#2748
OssSecurityBot wants to merge 1 commit into
microsoft:mainfrom
OssSecurityBot:oss-security-bot/pin-actions

Conversation

@OssSecurityBot

Copy link
Copy Markdown

Summary

This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility and adds a 7 day cooldown to Dependabot configuration for GitHub Actions.

Why?

Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.

This change mitigates the risk of tag retargeting to malicious code as seen in incidents like the tj-actions/changed-files action compromise or codfish/semantic-release-action compromise and improves the integrity and reproducibility of the CI/CD pipeline.

What changed?

Action pinning: Third-party action references in .github/workflows/ that used mutable tag-based references (e.g., actions/checkout@v4) have been updated to full-length commit SHAs with a version comment (e.g., actions/checkout@<sha> # v4) using the pinact tool. References that were already pinned to a SHA, or that used immutable release tags, were left unchanged.

Dependabot configuration: .github/dependabot.yml has been updated to ensure a github-actions package-ecosystem section is present with a cooldown configuration (default-days: 7). This groups Dependabot PRs for GitHub Actions and enforces a minimum 7-day cooldown between updates. If the file did not exist, it was created. If a github-actions section already existed, only the cooldown block was added or its default-days value was increased to 7 if it was lower. The 7-day cooldown provides a window for the community to detect and report compromised releases before they are automatically proposed as updates, reducing exposure to supply-chain attacks via newly published malicious versions.

Is this safe to merge?

Yes. The pinned SHAs correspond to the same commits that the existing tags pointed to. No behavioral changes are introduced. You can verify the pinned SHA value using the GitHub REST API (e.g., the commit hash for actions/checkout@v7 can be found in the sha property in the JSON response for GET https://api.github.com/repos/actions/checkout/commits/v7).


For more information, visit https://aka.ms/action-pinning

Copilot AI review requested due to automatic review settings July 10, 2026 14:25
@OssSecurityBot OssSecurityBot requested a review from a team as a code owner July 10, 2026 14:25

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s CI/CD supply chain by pinning GitHub Actions workflow dependencies to full commit SHAs (improving reproducibility and reducing tag-retargeting risk) and by introducing a Dependabot policy for GitHub Actions updates with a 7-day cooldown.

Changes:

  • Pin third-party GitHub Actions in existing workflows to full-length commit SHAs with version comments.
  • Add .github/dependabot.yml to manage GitHub Actions updates (grouped) with a weekly schedule and cooldown.default-days: 7.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/stale.yml Pins actions/stale to a full commit SHA for deterministic execution.
.github/workflows/stale-assigned.yml Pins actions/stale to a full commit SHA for deterministic execution.
.github/workflows/lock.yml Pins dessant/lock-threads to a full commit SHA for deterministic execution.
.github/workflows/jekyll-gh-pages.yml Pins Pages/checkout/setup-node related actions to full commit SHAs.
.github/workflows/delete-merged-branches.yml Pins actions/checkout to a full commit SHA.
.github/workflows/codeql-analysis.yml Pins checkout/setup-node/codeql actions to full commit SHAs (but the steps: indentation appears invalid).
.github/workflows/ci.yml Pins checkout/setup-node actions to full commit SHAs (but the steps: indentation appears invalid).
.github/dependabot.yml Adds Dependabot config for GitHub Actions updates with grouping and a 7-day cooldown.

Comment on lines 53 to +55
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
Comment thread .github/workflows/ci.yml
Comment on lines 34 to +37
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants