Skip to content

ci: pin third-party github actions to immutable commit hashes#23

Open
jboix wants to merge 1 commit into
mainfrom
ci/pin-actions
Open

ci: pin third-party github actions to immutable commit hashes#23
jboix wants to merge 1 commit into
mainfrom
ci/pin-actions

Conversation

@jboix
Copy link
Copy Markdown
Member

@jboix jboix commented May 11, 2026

Description

Following GitHub's security best practices, this change ensures that workflow executions use an exact hash instead of a tag.

Unlike tags, commit hashes are immutable, protecting the repository against "tag shifting" where a malicious actor or a compromised maintainer could overwrite a version tag (e.g., @v1) with malicious code.

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Changes Made

  • Pinned third-party actions to specific SHAs.
  • Added the original tag as a comment for readability.
  • Skipped first-party actions/* repositories as they are trusted.

Checklist

  • I have followed the project's style and contribution guidelines.
  • I have performed a self-review of my own changes.
  • I have made corresponding changes to the documentation.
  • I have added tests that prove my fix is effective or that my feature works.

@jboix
ci: pin third-party github actions to immutable commit hashes
1096f93 
Following GitHub's security best practices, this change ensures that
workflow executions use an exact hash instead of a tag.

Unlike tags, commit hashes are immutable, protecting the repository
against "tag shifting" where a malicious actor or a compromised
maintainer could overwrite a version tag (e.g., @v1) with malicious code.

- Pinned third-party actions to specific SHAs.
- Added the original tag as a comment for readability.
- Skipped first-party `actions/*` repositories as they are trusted.

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@jboix jboix requested a review from amtins May 11, 2026 14:15
@jboix jboix self-assigned this May 11, 2026
@jboix jboix added this to Pillarbox May 11, 2026
@github-project-automation github-project-automation Bot moved this to 📋 Backlog in Pillarbox May 11, 2026
@jboix jboix moved this from 📋 Backlog to 🍿 Code Review in Pillarbox May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 92.02% 150 / 163
🔵 Statements 91.17% 155 / 170
🔵 Functions 93.93% 62 / 66
🔵 Branches 71.42% 40 / 56
File CoverageNo changed files found.
Generated in workflow #57 for commit 1096f93 by the Vitest Coverage Report Action

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026

PR Preview Action v1.8.1

QR code for preview link

🚀 View preview at
https://SRGSSR.github.io/pillarbox-web-theme-editor/pr-preview/pr-23/

Built to branch gh-pages at 2026-05-12 09:06 UTC.
Preview will be ready when the GitHub Pages deployment is complete.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@amtins amtins Awaiting requested review from amtins

At least 1 approving review is required to merge this pull request.

Assignees

@jboix jboix

Labels

None yet

Projects

Pillarbox
Status: 🍿 Code Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jboix