Skip to content

Pin GitHub Actions to commit SHAs in all workflows#154

Merged
infeo merged 3 commits into
developfrom
copilot/update-workflows-pin-actions
May 18, 2026
Merged

Pin GitHub Actions to commit SHAs in all workflows#154
infeo merged 3 commits into
developfrom
copilot/update-workflows-pin-actions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited by infeo
Loading

Mutable version tags (e.g. @v4) can be silently reassigned, making workflows vulnerable to supply chain attacks. All actions should reference immutable commit SHAs with the version tag preserved as a comment.

Changes

  • gh-pages.yml — Pinned all 9 action references to commit SHAs:

    # Before
uses: actions/checkout@v4
uses: peaceiris/actions-hugo@v3

# After
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
uses: peaceiris/actions-hugo@75d2e84710de30f6ff7268e08f310b60ef14033f # v3.0.0

  • update-desktop.yml — Already fully pinned; no changes needed.

Copilot AI changed the title [WIP] Update workflows by pinning github actions to a commit Pin GitHub Actions to commit SHAs in all workflows Apr 2, 2026
Copilot AI requested a review from infeo April 2, 2026 10:59
Copilot finished work on behalf of infeo April 2, 2026 10:59
@infeo infeo marked this pull request as ready for review April 2, 2026 14:56
@infeo
Copy link
Copy Markdown
Member

infeo commented Apr 2, 2026

@copilot Add a dependabot file which checks for updates of the CI actions. They are all grouped in one pr.

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026

@copilot Add a dependabot file which checks for updates of the CI actions. They are all grouped in one pr.

Added .github/dependabot.yml in e8db75a. It monitors github-actions weekly and groups all action updates into a single PR.

Copilot finished work on behalf of infeo April 2, 2026 16:23
@infeo
Copy link
Copy Markdown
Member

infeo commented May 18, 2026

@copilot remove the dependabot file. It will be added in a different PR

Copilot AI mentioned this pull request May 18, 2026
Closed
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 18, 2026

@infeo I've opened a new pull request, #158, to work on those changes. Once the pull request is ready, I'll request review from you.

@infeo infeo merged commit 8feaeeb into develop May 18, 2026
3 checks passed
@infeo infeo deleted the copilot/update-workflows-pin-actions branch May 18, 2026 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@infeo infeo Awaiting requested review from infeo

Assignees

@infeo infeo

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@infeo