Skip to content

ci: pin GitHub Actions to commit SHA for security#790

Open
EricGrill wants to merge 1 commit intoACINQ:masterfrom
EricGrill:pin-github-actions-sha
Open

ci: pin GitHub Actions to commit SHA for security#790
EricGrill wants to merge 1 commit intoACINQ:masterfrom
EricGrill:pin-github-actions-sha

Conversation

@EricGrill
Copy link
Copy Markdown

@EricGrill EricGrill commented Jan 14, 2026

Summary

  • Pin all GitHub Actions to specific commit SHAs instead of mutable version tags
  • Add version comments above each pinned action for maintainability
  • Enable Dependabot to automatically manage SHA updates

Motivation

Using version tags for GitHub Actions introduces security risks:

  • Tag hijacking: An attacker could delete and recreate a tag pointing to malicious code
  • Upstream compromise: A compromised upstream could push malicious changes to existing tags
  • Supply chain attacks: Tags are mutable references that can change without notice

Pinning to commit SHAs ensures the exact code that was audited continues to run.

Changes

Action Version SHA
actions/checkout v2.7.0 ee0669bd1cc54295c223e0bb666b733df41de1c5
actions/cache v4.3.0 0057852bfaa89a56745cba8c7296529d2fc39830
actions/setup-java v1.4.4 b6e674f4b717d7b0ae3baee0fbe79f498905dfde
actions/upload-artifact v4.6.2 ea165f8d65b6e75b540449e92b4886f43607fa02

Test plan

  • Verify SHA references are correct by checking GitHub API
  • CI workflow should run successfully after merge

Fixes #716

Generated with Claude Code

@EricGrill @claude
ci: pin GitHub Actions to commit SHA for security
15cf031 
Pin all GitHub Actions to specific commit SHAs instead of mutable tags
to prevent supply chain attacks through:
- Malicious commits to existing tags
- Tag hijacking/deletion
- Upstream repository compromise

Actions pinned:
- actions/checkout: v2.7.0 -> ee0669bd1cc54295c223e0bb666b733df41de1c5
- actions/cache: v4.3.0 -> 0057852bfaa89a56745cba8c7296529d2fc39830
- actions/setup-java: v1.4.4 -> b6e674f4b717d7b0ae3baee0fbe79f498905dfde
- actions/upload-artifact: v4.6.2 -> ea165f8d65b6e75b540449e92b4886f43607fa02

Version comments added above each action for maintainability.
Dependabot can automatically update these SHAs when new versions are released.

Fixes ACINQ#716

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: actions in workflow should be pinned to commit SHA not tags

1 participant

@EricGrill