Skip to content

🤖 ci: pin all GitHub Actions to SHA hashes #1618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ethanndickson wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🤖 ci: pin all GitHub Actions to SHA hashes #1618

ethanndickson wants to merge 1 commit into from

Conversation

@ethanndickson
Copy link
Member

@ethanndickson ethanndickson commented Jan 14, 2026

Pin all 50 action references to commit SHAs with version comments, addressing the supply chain security risk from mutable version tags.

Why

Version tags like @v4 can be moved by maintainers, which is a supply chain risk. Pinning to full commit SHAs ensures immutable references. See GitHub's security hardening guide.

Changes

  • scripts/pin-actions.sh: Wrapper to download and run pinact
  • make pin-actions: New target for easy re-pinning after Dependabot updates
  • .github/zizmor.yml: Remove unpinned-uses.disable (no longer needed)
  • 9 workflow/action files: All 50 action references pinned

Example transformation

# Before
- uses: actions/checkout@v4

# After  
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

Maintenance

When Dependabot opens PRs to update action versions, run make pin-actions to re-pin to the new SHAs.

Generated with mux • Model: anthropic:claude-opus-4-5 • Thinking: high • Cost: $9.91

@github-actions github-actions bot added the ci label Jan 14, 2026
@ethanndickson
Copy link
Member Author

ethanndickson commented Jan 14, 2026

The Test / Unit job is failing with 2 tests in handleCompactCommand:

  • passes reviews to continueMessage when reviews are attached
  • creates continueMessage with only reviews (no text)

These tests pass locally but fail consistently in CI. This appears to be a flaky test or environment issue unrelated to this PR (which only pins action SHAs). The test mock expects sendMessage to be called but receives 0 calls.

Evidence this is not caused by this PR:

  • Tests pass locally on main branch
  • The changes in this PR only modify workflow YAML files and add a pin-actions script
  • No TypeScript/test code was modified

@ethanndickson
🤖 ci: pin all GitHub Actions to SHA hashes
67c7459 
Pin all 50 action references to commit SHAs with version comments,
addressing the supply chain security risk from mutable version tags.

Changes:
- Add scripts/pin-actions.sh: wrapper to download and run pinact
- Add 'make pin-actions' target for easy re-pinning
- Remove unpinned-uses.disable from .github/zizmor.yml
- Pin all actions across 9 workflow/action files
- Fix chromaui/action@latest → pinned SHA

Example transformation:
  uses: actions/checkout@v4
  → uses: actions/checkout@34e11487...# v4.3.1
@ethanndickson
Copy link
Member Author

ethanndickson commented Jan 14, 2026

Update: The handleCompactCommand test failures are affecting multiple PRs and even the merge queue. Main branch CI was green at 32972f73 (08:48 UTC) but subsequent PR runs are failing the same test.

This appears to be a flaky test issue - the test passes locally consistently but fails intermittently in CI. The test relies on mock functions and may have a race condition or timing issue in the CI environment.

This PR only changes workflow YAML files and adds a shell script - no test code was modified.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ethanndickson