Skip to content

[SECENG-364] Pin GitHub Actions to commit SHAs#101

Draft
Stephanie Ginovker (sginovker) wants to merge 1 commit intomainfrom
security/pin-actions-to-sha
Draft

[SECENG-364] Pin GitHub Actions to commit SHAs#101
Stephanie Ginovker (sginovker) wants to merge 1 commit intomainfrom
security/pin-actions-to-sha

Conversation

@sginovker
Copy link
Copy Markdown

@sginovker Stephanie Ginovker (sginovker) commented Apr 8, 2026
edited by atlassian bot
Loading

Ticket

SECENG-364

Summary

Pin all external GitHub Actions to commit SHAs for supply chain security. Internal (hoverinc/) actions are left unpinned.

Pinned Actions

Dependabot

Added/updated dependabot.yml to keep GitHub Actions pinned to the latest SHA with a 7-day update cooldown.

KennethLundberg
Max Lundberg (KennethLundberg) approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

@KennethLundberg Max Lundberg (KennethLundberg) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved: GHA pinned to SHAs. Verified changes are correct.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@KennethLundberg Max Lundberg (KennethLundberg) KennethLundberg approved these changes

@JustinGrilli Justin Grilli (JustinGrilli) Awaiting requested review from JustinGrilli JustinGrilli will be requested when the pull request is marked ready for review JustinGrilli is a code owner

@frances-fang Frances Fang (frances-fang) Awaiting requested review from frances-fang frances-fang will be requested when the pull request is marked ready for review frances-fang is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sginovker @KennethLundberg