Skip to content

Pin GitHub Actions to immutable commit SHAs #406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gcatanese merged 2 commits into from
Dec 30, 2025
Merged

Pin GitHub Actions to immutable commit SHAs #406

gcatanese merged 2 commits into from
Dec 30, 2025
+13 −13

Conversation

Copy link
Contributor

Copilot AI commented Dec 30, 2025
edited
Loading

Using mutable references like @v4 or @master allows action code to change without review. If an action author's account is compromised, pipelines are vulnerable to supply chain attacks.

Changes

Pinned all GitHub Actions across 6 workflows to immutable commit SHAs with version comments:

  • release.yml: actions/checkout@v6, Adyen/release-automation-action@v1.3.1
  • python-ci.yml: actions/checkout@v6, actions/setup-python@v6
  • labeler_workflow.yml: actions/checkout@v6, actions/setup-python@v6, actions/labeler@v6
  • stale.yml: actions/stale@v9
  • label_new_issues.yml: actions-ecosystem/action-add-labels@v1
  • pypipublish.yml: actions/checkout@master, actions/setup-python@v6, pypa/gh-action-pypi-publish@release/v1

Format

# Before
uses: actions/checkout@v4

# After
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4

Version comments preserve original reference for maintainability while SHAs provide security.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Bug]: Pin GitHub Actions to immutable commit SHAs</issue_title>
<issue_description>Using tags like @v1, @master, or @latest allows the action code to change without your review. If the action author is compromised, your pipeline is compromised.
Pin to the immutable Commit SHA.

❌ Bad

uses: actions/checkout@v4

✅ Good

uses: actions/checkout@b4ffde6 # v4.1.1

All existing workflows shall be updated to pin the version of the actions to a specific commit SHA.

</issue_description>

<agent_instructions>Update all workflows to pin the actions to the corresponding SHA commit, instead of using the version number</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@gcatanese
Pin all GitHub Actions to immutable commit SHAs
b88edb9 
Co-authored-by: gcatanese <1771700+gcatanese@users.noreply.github.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 30, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Update workflows to pin GitHub Actions using commit SHAs Pin GitHub Actions to immutable commit SHAs Dec 30, 2025
Copilot AI requested a review from gcatanese December 30, 2025 10:07
@gcatanese gcatanese marked this pull request as ready for review December 30, 2025 11:13
@gcatanese gcatanese requested review from a team as code owners December 30, 2025 11:13
@gcatanese gcatanese merged commit 68cfe33 into main Dec 30, 2025
7 checks passed
@gcatanese gcatanese deleted the copilot/pin-actions-to-commit-sha branch December 30, 2025 13:02
@AdyenAutomationBot AdyenAutomationBot mentioned this pull request Dec 30, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeandersonbc jeandersonbc jeandersonbc approved these changes

@gcatanese gcatanese Awaiting requested review from gcatanese

Assignees

@gcatanese gcatanese

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Pin GitHub Actions to immutable commit SHAs

3 participants

@jeandersonbc @gcatanese