Skip to content

Pin GitHub Actions to full commit SHAs#538

Merged
kingthorin merged 3 commits intomasterfrom
copilot/update-github-actions-to-pinned-shas
Apr 11, 2026
Merged

Pin GitHub Actions to full commit SHAs#538
kingthorin merged 3 commits intomasterfrom
copilot/update-github-actions-to-pinned-shas

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 11, 2026
edited by kingthorin
Loading

Pin all mutable tag-based action refs to immutable 40-char commit SHAs to prevent supply-chain attacks where a tag could be silently redirected.

  • .github/workflows/validate-owasp-metadata.yaml: actions/checkout@v6 → pinned SHA # v6.0.2
  • .github/workflows/pr_comment.yml: actions/github-script@v9 → pinned SHA # v9.0.0
# Before
uses: actions/checkout@v6

# After
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

owasp/nest-schema action was already SHA-pinned; no change needed.

@kingthorin kingthorin marked this pull request as ready for review April 11, 2026 13:54
@kingthorin kingthorin force-pushed the copilot/update-github-actions-to-pinned-shas branch from 8bc4db6 to c46dccf Compare April 11, 2026 13:54
@kingthorin
Initial plan
fcb07bc 
Co-authored-by: kingthorin <7570458+kingthorin@users.noreply.github.com>
Copilot AI changed the title [WIP] Update GitHub Actions workflows to pin actions to SHAs Pin GitHub Actions to full commit SHAs Apr 11, 2026
Copilot AI requested a review from kingthorin April 11, 2026 13:55
@kingthorin
Copy link
Copy Markdown
Collaborator

kingthorin commented Apr 11, 2026

@copilot the branch has been rebased. Double check your changes per the original requirement.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 11, 2026

@copilot the branch has been rebased. Double check your changes per the original requirement.

Checked after the rebase. The new base commit (a6c674b) updated both workflow files but still had the mutable tag refs. My pinning commit (c46dccf) sits on top and correctly pins both remaining non-SHA refs:

  • actions/checkout@v6actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
  • actions/github-script@v9actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9

owasp/nest-schema action remains already SHA-pinned. No further changes needed.

@kingthorin
Copy link
Copy Markdown
Collaborator

kingthorin commented Apr 11, 2026

@copilot comments should use full semver ex # v9.0.0 vs # v9 (or whatever the actual valid values are)

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 11, 2026

@copilot comments should use full semver ex # v9.0.0 vs # v9 (or whatever the actual valid values are)

Updated in commit 4c18e1b:

  • actions/checkout# v6.0.2
  • actions/github-script# v9.0.0

@kingthorin kingthorin merged commit 753e006 into master Apr 11, 2026
@kingthorin kingthorin deleted the copilot/update-github-actions-to-pinned-shas branch April 11, 2026 14:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kingthorin kingthorin kingthorin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kingthorin kingthorin

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kingthorin