ci: pin all GitHub Actions to immutable commit SHAs#20
Conversation
Replace mutable version tags with full commit SHAs to prevent supply-chain attacks via tag mutation. Version comments retained for readability. SHA mapping (resolved 2026-03-11): - actions/checkout v4 → 34e11487 - actions/setup-python v5 → a26af69b - actions/upload-artifact v4 → ea165f8d - github/codeql-action v3 → 820e3160 Already pinned (unchanged): - pypa/gh-action-pip-audit → ecbf276b (v1.1.0) - ossf/scorecard-action → 0864cf19 (v2.4.0) Affected workflows: codeql-analysis, semgrep, bandit, pip-audit, scorecard.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Pins GitHub Actions used across the repository’s security workflows to immutable commit SHAs to reduce supply-chain risk from mutable tag updates.
Changes:
- Replace
@v*tags with full commit SHAs foractions/checkout,actions/setup-python,actions/upload-artifact, andgithub/codeql-action/*. - Ensure Code Scanning SARIF uploads use pinned
github/codeql-action/upload-sarifreferences.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/semgrep.yml | Pin checkout and SARIF upload actions to SHAs. |
| .github/workflows/scorecard.yml | Pin checkout and SARIF upload actions to SHAs. |
| .github/workflows/pip-audit.yml | Pin checkout and setup-python actions to SHAs. |
| .github/workflows/codeql-analysis.yml | Pin checkout and CodeQL init/autobuild/analyze actions to SHAs. |
| .github/workflows/bandit.yml | Pin checkout, setup-python, upload-sarif, and upload-artifact actions to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | ||
|
|
||
| - name: Initialize CodeQL |
There was a problem hiding this comment.
In this workflow, the steps: sequence items are not indented under steps: (the - name: entries are aligned with steps:). This makes the YAML invalid and will prevent the CodeQL workflow from running. Indent all step list items beneath steps: (and keep uses/with aligned under each step).
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
The header "Audit notes" in this workflow says mutable tags (e.g., actions/checkout@v4, github/codeql-action@v3) are acceptable, but this PR pins them to immutable SHAs. Please update/remove that note so the documentation matches the new security posture.
| security-events: write | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
The PR description’s SHA mapping table appears to contain non-hex/escaped characters for some SHAs (e.g., setup-python/upload-artifact), which makes it hard to audit the pins. Please update the PR description to show the full 40-hex commit SHAs that match the workflow changes.
Pin Actions to SHA
Replaces all mutable version tags with full commit SHAs across every workflow file to prevent supply-chain attacks via tag mutation.
SHA Mapping (resolved 2026-03-11)