Skip to content

Commit bac8be8

Browse files
ethanndicksonethanndickson
committed
🤖 ci: pin all GitHub Actions to SHA hashes
Pin all 50 action references to commit SHAs with version comments, addressing the supply chain security risk from mutable version tags. Changes: - Add scripts/pin-actions.sh: wrapper to download and run pinact - Add 'make pin-actions' target for easy re-pinning - Remove unpinned-uses.disable from .github/zizmor.yml - Pin all actions across 9 workflow/action files - Fix chromaui/action@latest → pinned SHA Example transformation: uses: actions/checkout@v4 → uses: actions/checkout@34e11487...# v4.3.1
1 parent df7ee82 commit bac8be8

File tree

13 files changed

+81
-56
lines changed

13 files changed

+81
-56
lines changed

.github/actions/setup-mux/action.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ runs:
44
using: "composite"
55
steps:
66
- name: Setup Bun
7-
uses: oven-sh/setup-bun@v2
7+
uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
88
with:
99
bun-version: 1.3.5
1010

@@ -15,7 +15,7 @@ runs:
1515

1616
- name: Cache node_modules
1717
id: cache-node-modules
18-
uses: actions/cache@v4
18+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
1919
with:
2020
path: node_modules
2121
key: ${{ runner.os }}-${{ runner.arch }}-bun-${{ steps.bun-version.outputs.version }}-node-modules-${{ hashFiles('**/bun.lock') }}
@@ -37,7 +37,7 @@ runs:
3737
- name: Cache bun install cache
3838
if: steps.check-node-modules.outputs.exists != 'true'
3939
id: cache-bun-install
40-
uses: actions/cache@v4
40+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
4141
with:
4242
path: ~/.bun/install/cache
4343
key: ${{ runner.os }}-bun-cache-${{ hashFiles('**/bun.lock') }}
@@ -58,7 +58,7 @@ runs:
5858
# Cache Electron binaries and electron-builder resources (NSIS, etc.)
5959
# These are downloaded during electron-builder and can be 200MB+ total
6060
- name: Cache Electron
61-
uses: actions/cache@v4
61+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
6262
with:
6363
path: |
6464
~/.cache/electron
@@ -69,7 +69,7 @@ runs:
6969
${{ runner.os }}-${{ runner.arch }}-electron-
7070
7171
- name: Cache electron-builder
72-
uses: actions/cache@v4
72+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
7373
with:
7474
path: |
7575
~/.cache/electron-builder

.github/actions/setup-ollama/action.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,14 @@ runs:
66
steps:
77
- name: Cache Ollama binary
88
id: cache-ollama-binary
9-
uses: actions/cache@v4
9+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
1010
with:
1111
path: ./.ollama-install
1212
key: ${{ runner.os }}-ollama-binary-v2
1313

1414
- name: Cache Ollama models
1515
id: cache-ollama-models
16-
uses: actions/cache@v4
16+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
1717
with:
1818
path: ~/.ollama
1919
key: ${{ runner.os }}-ollama-models-v2

.github/actions/setup-playwright/action.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ runs:
1919
2020
- name: Cache Playwright browsers
2121
id: cache-playwright
22-
uses: actions/cache@v4
22+
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
2323
with:
2424
path: ~/.cache/ms-playwright
2525
key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}-${{ inputs.browsers }}

.github/workflows/auto-label.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,10 +19,10 @@ jobs:
1919
runs-on: ubuntu-latest
2020
if: github.actor != 'dependabot[bot]'
2121
steps:
22-
- uses: actions/checkout@v4
22+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2323
with:
2424
persist-credentials: false
25-
- uses: oven-sh/setup-bun@v2
25+
- uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0
2626

2727
- name: Label with mux
2828
env:

.github/workflows/chromatic.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push'
1616
steps:
1717
- name: Checkout code
18-
uses: actions/checkout@v4
18+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1919
with:
2020
fetch-depth: 0 # Required for Chromatic to track changes
2121
persist-credentials: false
@@ -32,7 +32,7 @@ jobs:
3232
run: bun x storybook build --stats-json
3333

3434
- name: Run Chromatic
35-
uses: chromaui/action@latest
35+
uses: chromaui/action@07791f8243f4cb2698bf4d00426baf4b2d1cb7e0 # v13.3.5
3636
with:
3737
projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
3838
exitZeroOnChanges: true

.github/workflows/pr.yml

Lines changed: 26 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -35,10 +35,10 @@ jobs:
3535
backend: ${{ steps.filter.outputs.backend }}
3636
browser: ${{ steps.filter.outputs.browser }}
3737
steps:
38-
- uses: actions/checkout@v4
38+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3939
with:
4040
persist-credentials: false
41-
- uses: dorny/paths-filter@v3
41+
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
4242
id: filter
4343
with:
4444
filters: |
@@ -72,13 +72,13 @@ jobs:
7272
if: github.event_name != 'push' || github.actor != 'github-merge-queue[bot]'
7373
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
7474
steps:
75-
- uses: actions/checkout@v4
75+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
7676
with:
7777
fetch-depth: 0
7878
persist-credentials: false
7979
- uses: ./.github/actions/setup-mux
8080
- run: ./scripts/generate-version.sh
81-
- uses: actions/cache@v4
81+
- uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
8282
with:
8383
path: ~/.local/bin/shfmt
8484
key: ${{ runner.os }}-shfmt-latest
@@ -101,7 +101,7 @@ jobs:
101101
set -euo pipefail
102102
sudo apt-get update
103103
sudo apt-get install -y shellcheck
104-
- uses: cachix/install-nix-action@v27
104+
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
105105
with:
106106
extra_nix_config: |
107107
experimental-features = nix-command flakes
@@ -120,15 +120,15 @@ jobs:
120120
if: ${{ (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') }}
121121
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
122122
steps:
123-
- uses: actions/checkout@v4
123+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
124124
with:
125125
persist-credentials: false
126126
- uses: ./.github/actions/setup-mux
127127
- run: make build-main
128128
# workflow_dispatch inputs are only triggerable by repo members, so direct
129129
# interpolation is acceptable and preserves shell quoting in the filter.
130130
- run: bun test --coverage --coverage-reporter=lcov ${{ github.event.inputs.test_filter || 'src' }} # zizmor: ignore[template-injection]
131-
- uses: codecov/codecov-action@v5
131+
- uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
132132
with:
133133
token: ${{ secrets.CODECOV_TOKEN }}
134134
files: ./coverage/lcov.info
@@ -142,7 +142,7 @@ jobs:
142142
timeout-minutes: 10
143143
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
144144
steps:
145-
- uses: actions/checkout@v4
145+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
146146
with:
147147
persist-credentials: false
148148
- uses: ./.github/actions/setup-mux
@@ -179,7 +179,7 @@ jobs:
179179
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
180180
BACKEND: ${{ needs.changes.outputs.backend }}
181181
BROWSER: ${{ needs.changes.outputs.browser }}
182-
- uses: codecov/codecov-action@v5
182+
- uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
183183
with:
184184
token: ${{ secrets.CODECOV_TOKEN }}
185185
files: ./coverage/lcov.info
@@ -192,7 +192,7 @@ jobs:
192192
if: ${{ (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') && github.event.inputs.test_filter == '' && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') }}
193193
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
194194
steps:
195-
- uses: actions/checkout@v4
195+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
196196
with:
197197
persist-credentials: false
198198
- uses: ./.github/actions/setup-mux
@@ -226,7 +226,7 @@ jobs:
226226
runner: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }}
227227
runs-on: ${{ matrix.runner }}
228228
steps:
229-
- uses: actions/checkout@v4
229+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
230230
with:
231231
persist-credentials: false
232232
- uses: ./.github/actions/setup-mux
@@ -251,7 +251,7 @@ jobs:
251251
if: ${{ (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') }}
252252
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
253253
steps:
254-
- uses: actions/checkout@v4
254+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
255255
with:
256256
fetch-depth: 0
257257
persist-credentials: false
@@ -266,7 +266,7 @@ jobs:
266266
# shellcheck disable=SC2012 # ls is fine here - known filename pattern in controlled directory
267267
TARBALL=$(ls mux-*.tgz | head -1)
268268
PACKAGE_TARBALL="$TARBALL" ./scripts/smoke-test.sh
269-
- uses: actions/upload-artifact@v4
269+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
270270
if: failure()
271271
with:
272272
name: smoke-server-logs
@@ -280,12 +280,12 @@ jobs:
280280
if: github.event_name == 'merge_group' || (github.event_name == 'push' && github.actor != 'github-merge-queue[bot]')
281281
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
282282
steps:
283-
- uses: actions/checkout@v4
283+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
284284
with:
285285
fetch-depth: 0
286286
persist-credentials: false
287-
- uses: docker/setup-buildx-action@v3
288-
- uses: docker/build-push-action@v6
287+
- uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
288+
- uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
289289
with:
290290
context: .
291291
load: true
@@ -313,14 +313,14 @@ jobs:
313313
if: ${{ (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') }}
314314
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
315315
steps:
316-
- uses: actions/checkout@v4
316+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
317317
with:
318318
fetch-depth: 0
319319
persist-credentials: false
320320
- uses: ./.github/actions/setup-mux
321321
- run: bun run build
322322
- run: make dist-linux
323-
- uses: actions/upload-artifact@v4
323+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
324324
with:
325325
name: build-linux
326326
path: release/*.AppImage
@@ -333,7 +333,7 @@ jobs:
333333
if: ${{ needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true' }}
334334
runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-15' || 'macos-latest' }}
335335
steps:
336-
- uses: actions/checkout@v4
336+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
337337
with:
338338
fetch-depth: 0
339339
persist-credentials: false
@@ -348,13 +348,13 @@ jobs:
348348
AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
349349
AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
350350
- run: make dist-mac
351-
- uses: actions/upload-artifact@v4
351+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
352352
with:
353353
name: build-macos-x64
354354
path: release/*-x64.dmg
355355
retention-days: 30
356356
if-no-files-found: error
357-
- uses: actions/upload-artifact@v4
357+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
358358
with:
359359
name: build-macos-arm64
360360
path: release/*-arm64.dmg
@@ -368,7 +368,7 @@ jobs:
368368
if: ${{ (github.event_name == 'merge_group' || (github.event_name == 'push' && github.ref == 'refs/heads/main')) && (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') }}
369369
runs-on: windows-latest
370370
steps:
371-
- uses: actions/checkout@v4
371+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
372372
with:
373373
fetch-depth: 0
374374
persist-credentials: false
@@ -403,7 +403,7 @@ jobs:
403403
EV_KEY: ${{ vars.EV_KEY }}
404404
EV_TSA_URL: ${{ vars.EV_TSA_URL }}
405405
GCLOUD_ACCESS_TOKEN: ${{ steps.signing.outputs.gcloud_access_token }}
406-
- uses: actions/upload-artifact@v4
406+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
407407
with:
408408
name: build-windows
409409
path: release/*.exe
@@ -416,13 +416,13 @@ jobs:
416416
if: ${{ (needs.changes.outputs.src == 'true' || needs.changes.outputs.config == 'true') && (github.event_name != 'push' || github.actor != 'github-merge-queue[bot]') }}
417417
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
418418
steps:
419-
- uses: actions/checkout@v4
419+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
420420
with:
421421
fetch-depth: 0
422422
persist-credentials: false
423423
- uses: ./.github/actions/setup-mux
424424
- uses: ./.github/actions/build-vscode-extension
425-
- uses: actions/upload-artifact@v4
425+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
426426
with:
427427
name: build-vscode
428428
path: vscode/mux-*.vsix
@@ -434,7 +434,7 @@ jobs:
434434
if: github.event_name == 'pull_request'
435435
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
436436
steps:
437-
- uses: actions/checkout@v4
437+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
438438
with:
439439
fetch-depth: 0
440440
persist-credentials: false

.github/workflows/publish-npm.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@ jobs:
2929
id-token: write # Required for OIDC trusted publishing
3030
steps:
3131
- name: Checkout code
32-
uses: actions/checkout@v4
32+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
3333
with:
3434
fetch-depth: 0 # Required for git describe to find tags
3535
persist-credentials: false
@@ -38,7 +38,7 @@ jobs:
3838

3939
# Setup Node.js 24+ for npm v11+ required by OIDC trusted publishing.
4040
# Node 22 ships with npm 10.x which does NOT support OIDC.
41-
- uses: actions/setup-node@v4
41+
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
4242
with:
4343
node-version: "24"
4444
registry-url: "https://registry.npmjs.org"
@@ -104,7 +104,7 @@ jobs:
104104
105105
- name: Upload server logs on smoke test failure
106106
if: failure()
107-
uses: actions/upload-artifact@v4
107+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
108108
with:
109109
name: smoke-test-logs
110110
path: |

.github/workflows/release.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ jobs:
4949
runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-15' || 'macos-latest' }}
5050
steps:
5151
- name: Checkout code
52-
uses: actions/checkout@v4
52+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
5353
with:
5454
ref: ${{ inputs.tag || github.ref }}
5555
fetch-depth: 0 # Required for git describe to find tags
@@ -80,7 +80,7 @@ jobs:
8080
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
8181
steps:
8282
- name: Checkout code
83-
uses: actions/checkout@v4
83+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
8484
with:
8585
ref: ${{ inputs.tag || github.ref }}
8686
fetch-depth: 0 # Required for git describe to find tags
@@ -102,7 +102,7 @@ jobs:
102102
runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
103103
steps:
104104
- name: Checkout code
105-
uses: actions/checkout@v4
105+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
106106
with:
107107
ref: ${{ inputs.tag || github.ref }}
108108
fetch-depth: 0 # Required for git describe to find tags
@@ -155,7 +155,7 @@ jobs:
155155
runs-on: windows-latest
156156
steps:
157157
- name: Checkout code
158-
uses: actions/checkout@v4
158+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
159159
with:
160160
ref: ${{ inputs.tag || github.ref }}
161161
fetch-depth: 0
@@ -200,7 +200,7 @@ jobs:
200200
GCLOUD_ACCESS_TOKEN: ${{ steps.signing.outputs.gcloud_access_token }}
201201

202202
- name: Upload Windows artifacts
203-
uses: actions/upload-artifact@v4
203+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
204204
with:
205205
name: windows-release
206206
path: |

0 commit comments

Comments
 (0)