Pin GitHub Actions to full-length commit SHAs#2748
Open
OssSecurityBot wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s CI/CD supply chain by pinning GitHub Actions workflow dependencies to full commit SHAs (improving reproducibility and reducing tag-retargeting risk) and by introducing a Dependabot policy for GitHub Actions updates with a 7-day cooldown.
Changes:
- Pin third-party GitHub Actions in existing workflows to full-length commit SHAs with version comments.
- Add
.github/dependabot.ymlto manage GitHub Actions updates (grouped) with a weekly schedule andcooldown.default-days: 7.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/stale.yml | Pins actions/stale to a full commit SHA for deterministic execution. |
| .github/workflows/stale-assigned.yml | Pins actions/stale to a full commit SHA for deterministic execution. |
| .github/workflows/lock.yml | Pins dessant/lock-threads to a full commit SHA for deterministic execution. |
| .github/workflows/jekyll-gh-pages.yml | Pins Pages/checkout/setup-node related actions to full commit SHAs. |
| .github/workflows/delete-merged-branches.yml | Pins actions/checkout to a full commit SHA. |
| .github/workflows/codeql-analysis.yml | Pins checkout/setup-node/codeql actions to full commit SHAs (but the steps: indentation appears invalid). |
| .github/workflows/ci.yml | Pins checkout/setup-node actions to full commit SHAs (but the steps: indentation appears invalid). |
| .github/dependabot.yml | Adds Dependabot config for GitHub Actions updates with grouping and a 7-day cooldown. |
Comment on lines
53
to
+55
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 |
Comment on lines
34
to
+37
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| - name: Use Node.js ${{ matrix.node-version }} | ||
| uses: actions/setup-node@v4 | ||
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility and adds a 7 day cooldown to Dependabot configuration for GitHub Actions.
Why?
Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.
This change mitigates the risk of tag retargeting to malicious code as seen in incidents like the tj-actions/changed-files action compromise or codfish/semantic-release-action compromise and improves the integrity and reproducibility of the CI/CD pipeline.
What changed?
Action pinning: Third-party action references in
.github/workflows/that used mutable tag-based references (e.g.,actions/checkout@v4) have been updated to full-length commit SHAs with a version comment (e.g.,actions/checkout@<sha> # v4) using the pinact tool. References that were already pinned to a SHA, or that used immutable release tags, were left unchanged.Dependabot configuration:
.github/dependabot.ymlhas been updated to ensure agithub-actionspackage-ecosystem section is present with acooldownconfiguration (default-days: 7). This groups Dependabot PRs for GitHub Actions and enforces a minimum 7-day cooldown between updates. If the file did not exist, it was created. If agithub-actionssection already existed, only thecooldownblock was added or itsdefault-daysvalue was increased to 7 if it was lower. The 7-day cooldown provides a window for the community to detect and report compromised releases before they are automatically proposed as updates, reducing exposure to supply-chain attacks via newly published malicious versions.Is this safe to merge?
Yes. The pinned SHAs correspond to the same commits that the existing tags pointed to. No behavioral changes are introduced. You can verify the pinned SHA value using the GitHub REST API (e.g., the commit hash for
actions/checkout@v7can be found in theshaproperty in the JSON response forGET https://api.github.com/repos/actions/checkout/commits/v7).For more information, visit https://aka.ms/action-pinning