Skip to content

ci: pin third-party github actions to immutable commit hashes#23

Merged
jboix merged 1 commit into
mainfrom
ci/pin-actions
May 15, 2026
Merged

ci: pin third-party github actions to immutable commit hashes#23
jboix merged 1 commit into
mainfrom
ci/pin-actions

Conversation

@jboix
Copy link
Copy Markdown
Member

@jboix jboix commented May 11, 2026

Description

Following GitHub's security best practices, this change ensures that workflow executions use an exact hash instead of a tag.

Unlike tags, commit hashes are immutable, protecting the repository against "tag shifting" where a malicious actor or a compromised maintainer could overwrite a version tag (e.g., @v1) with malicious code.

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Changes Made

  • Pinned third-party actions to specific SHAs.
  • Added the original tag as a comment for readability.
  • Skipped first-party actions/* repositories as they are trusted.

Checklist

  • I have followed the project's style and contribution guidelines.
  • I have performed a self-review of my own changes.
  • I have made corresponding changes to the documentation.
  • I have added tests that prove my fix is effective or that my feature works.

@jboix
ci: pin third-party github actions to immutable commit hashes
1096f93 
Following GitHub's security best practices, this change ensures that
workflow executions use an exact hash instead of a tag.

Unlike tags, commit hashes are immutable, protecting the repository
against "tag shifting" where a malicious actor or a compromised
maintainer could overwrite a version tag (e.g., @v1) with malicious code.

- Pinned third-party actions to specific SHAs.
- Added the original tag as a comment for readability.
- Skipped first-party `actions/*` repositories as they are trusted.

Ref: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@jboix jboix requested a review from amtins May 11, 2026 14:15
@jboix jboix self-assigned this May 11, 2026
@jboix jboix added this to Pillarbox May 11, 2026
@github-project-automation github-project-automation Bot moved this to 📋 Backlog in Pillarbox May 11, 2026
@jboix jboix moved this from 📋 Backlog to 🍿 Code Review in Pillarbox May 11, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 11, 2026

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 92.02% 150 / 163
🔵 Statements 91.17% 155 / 170
🔵 Functions 93.93% 62 / 66
🔵 Branches 71.42% 40 / 56
File CoverageNo changed files found.
Generated in workflow #57 for commit 1096f93 by the Vitest Coverage Report Action

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-05-15 18:05 UTC

@jboix jboix added this pull request to the merge queue May 15, 2026
Merged via the queue into main with commit 6b8c779 May 15, 2026
5 of 6 checks passed
@jboix jboix deleted the ci/pin-actions branch May 15, 2026 18:05
@github-project-automation github-project-automation Bot moved this from 🍿 Code Review to ✅ Done in Pillarbox May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@defagos defagos defagos approved these changes

@amtins amtins Awaiting requested review from amtins

Assignees

@jboix jboix

Labels

None yet

Projects

Pillarbox
Status: ✅ Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jboix @defagos