Skip to content

Fix: Pin all GitHub Actions to SHA and update invalid action version #9

Open
#10
Open
Fix: Pin all GitHub Actions to SHA and update invalid action version#9
#10
Labels
bugSomething isn't workinginfrastructureProject setup and deployment
@oto-macenauer-absa

Description

@oto-macenauer-absa
oto-macenauer-absa
opened on May 29, 2026

Problem

The check_pr_release_notes workflow is failing because it references a non-existent action version:

uses: AbsaOSS/release-notes-presence-check@v0

The v0 tag does not exist in the release-notes-presence-check repository. The latest release is v0.4.0.

Additionally, all workflows use mutable tag references (e.g. @v6, @v1, @v3) instead of immutable SHA pins, which is a security and reproducibility risk.

Affected workflows

Workflow Action Current ref Fix
check_pr_release_notes.yml AbsaOSS/release-notes-presence-check @v0 ❌ (does not exist) @v0.4.0 + SHA pin
check_pr_release_notes.yml actions/setup-python @v6 SHA pin
release_draft.yml actions/checkout @v6 SHA pin
release_draft.yml actions/setup-python @v6 SHA pin
release_draft.yml AbsaOSS/version-tag-check @v1 @v1.0.0 + SHA pin
release_draft.yml AbsaOSS/generate-release-notes @v1 SHA pin
release_draft.yml actions/github-script @v9 SHA pin
release_draft.yml softprops/action-gh-release @v3 SHA pin
update_v1_tag.yml actions/checkout @v6 SHA pin
dependabot.yml dependabot/fetch-metadata @v3 SHA pin

Solution

  • Replace AbsaOSS/release-notes-presence-check@v0 with @v0.4.0 (latest) pinned to its commit SHA
  • Pin all other actions to their latest release SHA using uses: owner/action@<sha> # vX.Y.Z format

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workinginfrastructureProject setup and deployment

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions