Skip to content

fix: harden GitHub Actions workflows#1873

Open
dagecko wants to merge 1 commit intokrahets:mainfrom
dagecko:runner-guard/fix-ci-security
Open

fix: harden GitHub Actions workflows#1873
dagecko wants to merge 1 commit intokrahets:mainfrom
dagecko:runner-guard/fix-ci-security

Conversation

@dagecko
Copy link
Copy Markdown

@dagecko dagecko commented Mar 30, 2026

Re-submission of #1860. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

  • SHA pinning: action@v3 becomes action@abc123 # v3, original version preserved as comment
  • No workflow logic, triggers, or permissions are modified

I've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.

If you have any questions, reach out. I'll be monitoring comms.

- Chris (dagecko)

@krahets krahets requested a review from Copilot March 30, 2026 06:33
Copilot AI reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI supply-chain security by pinning selected third-party GitHub Actions in existing workflows to immutable commit SHAs (while preserving the original version tag as an inline comment).

Changes:

  • Pin brndnmtthws/rust-action-rustup@v1 to a commit SHA in the Rust workflow.
  • Pin ruby/setup-ruby@v1 to a commit SHA in the Ruby workflow.
  • Pin denoland/setup-deno@v2 and dart-lang/setup-dart@v1 to commit SHAs in the JavaScript and Dart workflows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/rust.yml Pin brndnmtthws/rust-action-rustup to a commit SHA.
.github/workflows/ruby.yml Pin ruby/setup-ruby to a commit SHA.
.github/workflows/javascript.yml Pin denoland/setup-deno to a commit SHA.
.github/workflows/dart.yml Pin dart-lang/setup-dart to a commit SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/javascript.yml
Comment on lines 24 to 29
- uses: actions/checkout@v5
- uses: actions/setup-node@v6
with:
node-version: 24.x
- uses: denoland/setup-deno@v2
- uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2
with:
Copy link

Copilot AI Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description states that all GitHub Actions are pinned to immutable SHAs, but this workflow (and others) still reference mutable tags (e.g., actions/checkout@v5 and actions/setup-node@v6). Either pin the remaining actions as well or update the PR description to reflect that only selected/third-party actions are being pinned.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dagecko