Skip to content

[Security] Pin GitHub Actions to a full-length commit SHA #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
juliendoutre wants to merge 1 commit into from
Closed

[Security] Pin GitHub Actions to a full-length commit SHA #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
crate: '${{ matrix.crate }}'

build:
uses: Datadog/action-prebuildify/.github/workflows/build.yml@main
uses: Datadog/action-prebuildify/.github/workflows/build.yml@d4e89247e6dd34f485c0f92c12f0cc739c2f8c92 # main
Copy link
Copy Markdown

@yannham yannham Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description of this PR says:

Internal actions (under the DataDog organization) are not pinned

but this seems to be an internal action? I suppose something choked on the different capitalization...

Copy link
Copy Markdown
Author

@juliendoutre juliendoutre Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes you're right, the code is case sensitive, I will update it to prevent this to happen again, thank you for flagging 🙇

needs: build-test-wasm
with:
package-manager: 'yarn'
Expand All @@ -57,6 +57,6 @@ jobs:
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
- run: yarn install
- name: Compute module size tree and report
uses: qard/heaviest-objects-in-the-universe@v1
uses: qard/heaviest-objects-in-the-universe@1e02edbdda803a45537a808ede97866db47756d3 # v1.0.0
Copy link
Copy Markdown
Contributor

@watson watson Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The versions in Quards repo is messed up which is also why I think I left it out when I previously upgraded this action to use commit SHAs. 1e02edbdda803a45537a808ede97866db47756d3 doesn't match up with v1.0.0, but I agree that it's 1e02edbdda803a45537a808ede97866db47756d3 we want though

Copy link
Copy Markdown
Author

@juliendoutre juliendoutre Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, the reason why the tool expanded v1 to a full semver v1.0.0 is in case you wanna use dependabot or renovate which only updates the version comments correctly if they are valid semver. Else, they bump the hash but not the comment next to it that they consider being an arbitrary git ref with no specific meaning. Feel free to revert to v1 if you'd rather use it.

Copy link
Copy Markdown
Contributor

@watson watson Mar 17, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why I left this one out when I updated all the other references to use the commit hash in a previous PR, was because its repository doesn't use semver git tags and several of the published versions to npm doesn't even have associated tags. So I think the best thing to do here is just hardcode the commit SHA like we do here. The v1.0.0 comment is probably going to confuse someone, so I prefer that we leave it out, as it's incorrect. If anything it's more like v1.0.2, but in reality it's not even that.

Copy link
Copy Markdown
Author

@juliendoutre juliendoutre Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good!

with:
github-token: ${{ secrets.GITHUB_TOKEN }}
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ jobs:
crate: '${{ matrix.crate }}'

build:
uses: Datadog/action-prebuildify/.github/workflows/build.yml@main
uses: Datadog/action-prebuildify/.github/workflows/build.yml@d4e89247e6dd34f485c0f92c12f0cc739c2f8c92 # main
needs: build-test-wasm
with:
package-manager: 'yarn'
Expand Down