Skip to content

security: pin all GitHub Actions by commit SHA#400

Merged
0x46616c6b merged 2 commits intomainfrom
security/pin-actions-by-sha
Feb 24, 2026
Merged

security: pin all GitHub Actions by commit SHA#400
0x46616c6b merged 2 commits intomainfrom
security/pin-actions-by-sha

Conversation

@0x46616c6b
Copy link
Contributor

@0x46616c6b 0x46616c6b commented Feb 23, 2026

Type of Change

  • Bugfix
  • Enhancement / new feature
  • Refactoring
  • Documentation

Description

Pin all external GitHub Action references to their full 40-character commit SHA to improve supply-chain security and prevent tag manipulation attacks.

Format used:

uses: owner/action@<full-commit-sha> # vX.Y.Z

Why this matters:

  • Git tags are mutable -- a malicious actor could move a tag to point to compromised code
  • SHA pinning ensures the exact code version is immutable
  • The version comment (# vX.Y.Z) preserves human-readable version info

What changed:

  • 48 action references across 18 workflow files pinned by SHA
  • Major-only tags (@v6, @v4, @v5, @v8) resolved to their latest concrete patch version
  • Internal reusable workflow references (@main) left unchanged as they reside in this repository

Dependabot compatibility:
Dependabot natively supports this format and will automatically update both the SHA and the version comment when new releases are available. The existing Dependabot configuration does not need any changes.

Checklist

  • Add relevant labels (for example type of change or patch/minor/major)
  • Make sure not to introduce some mistakes
  • Update documentation
  • Review the Contributing Guideline and sign CLA
  • Reference relevant issue(s) and close them after merging

The changes and the PR were generated by OpenCode.

0x46616c6b and others added 2 commits February 23, 2026 14:17
@0x46616c6b
security: pin all GitHub Actions by commit SHA
c2e4928 
Pin all external action references to their full commit SHA for
supply-chain security, preventing tag manipulation attacks.

Each reference uses the format:
  uses: owner/action@<sha> # vX.Y.Z

This format is natively supported by Dependabot, which will
automatically update both the SHA and version comment on new releases.

Changes:
- 48 action references across 18 workflow files pinned by SHA
- Major-only tags (v6, v4, v5, v8) resolved to their latest patch version
- Internal reusable workflow refs (@main) left unchanged

Co-Authored-By: OpenCode <noreply@opencode.ai>
@0x46616c6b
style: use 2 spaces before version comment for yamllint compliance
f5e89d6 
yamllint requires min-spaces-before: 2 for inline comments.
Adjust all SHA-pinned action references from '# vX.Y.Z' to '  # vX.Y.Z'.

Co-Authored-By: OpenCode <noreply@opencode.ai>
@0x46616c6b 0x46616c6b marked this pull request as ready for review February 23, 2026 13:26
@0x46616c6b 0x46616c6b requested a review from a team as a code owner February 23, 2026 13:26
@flaxel flaxel added enhancement New feature or request minor Pull requests with new features labels Feb 23, 2026
timdittler
timdittler approved these changes Feb 23, 2026
View reviewed changes
Copy link
Contributor

@timdittler timdittler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! Link to the docs for future reference https://docs.github.com/en/actions/reference/security/secure-use#keeping-the-actions-in-your-workflows-secure-and-up-to-date

@0x46616c6b 0x46616c6b merged commit d769c39 into main Feb 24, 2026
8 checks passed
@0x46616c6b 0x46616c6b deleted the security/pin-actions-by-sha branch February 24, 2026 08:55
@github-actions github-actions bot locked and limited conversation to collaborators Feb 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@flaxel flaxel flaxel approved these changes

@timdittler timdittler timdittler approved these changes

@soemo soemo Awaiting requested review from soemo soemo is a code owner automatically assigned from Staffbase/workflow-enthusiasts

Assignees

No one assigned

Labels

enhancement New feature or request minor Pull requests with new features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0x46616c6b @flaxel @timdittler