🔒 Pin GitHub Actions to commit SHAs by paulinebm · Pull Request #45180 · huggingface/transformers

paulinebm · 2026-04-02T08:00:02Z

🔒 Pin GitHub Actions to commit SHAs

This PR pins all GitHub Actions to their exact commit SHA instead of mutable tags or branch names.

Why?
Pinning to a SHA prevents supply chain attacks where a tag (e.g. v4) could be moved to point to malicious code.

Changes

Workflow	Action	Avant	Après	SHA
`add-model-like.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`add-model-like.yml`	`actions/cache`	`v4`	`v4`	`0057852bfaa8…`
`add-model-like.yml`	`actions/upload-artifact`	`v4`	`v4`	`ea165f8d65b6…`
`benchmark.yml`	`actions/checkout`	`v5`	`v6.0.2`	`de0fac2e4500…`
`extras-smoke-test.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`extras-smoke-test.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`extras-smoke-test.yml`	`actions/setup-python`	`v5`	`v5`	`a26af69be951…`
`extras-smoke-test.yml`	`actions/upload-artifact`	`v4`	`v4`	`ea165f8d65b6…`
`extras-smoke-test.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`extras-smoke-test.yml`	`actions/setup-python`	`v5`	`v5`	`a26af69be951…`
`extras-smoke-test.yml`	`actions/download-artifact`	`v4`	`v4`	`d3f86a106a0b…`
`circleci-failure-summary-comment.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`circleci-failure-summary-comment.yml`	`actions/setup-python`	`v5`	`v5`	`a26af69be951…`
`circleci-failure-summary-comment.yml`	`actions/github-script`	`v7`	`v7`	`f28e40c7f34b…`
`assign-reviewers.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`assign-reviewers.yml`	`actions/setup-python`	`v5`	`v5`	`a26af69be951…`
`release-conda.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`release-conda.yml`	`conda-incubator/setup-miniconda`	`v2`	`v2`	`9f54435e0e72…`
`build-ci-docker-images.yml`	`docker/setup-buildx-action`	`v3`	`v3`	`8d2750c68a42…`
`build-ci-docker-images.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`build-ci-docker-images.yml`	`docker/login-action`	`v3`	`v3`	`c94ce9fb4685…`
`build-ci-docker-images.yml`	`docker/build-push-action`	`v5`	`v5`	`ca052bb54ab0…`
`build-ci-docker-images.yml`	`huggingface/hf-workflows/.github/actions/post-slack`	`main`	`main`	`a88e7fa2eaee…`
`build_documentation.yml`	`huggingface/doc-builder/.github/workflows/build_main_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`build_documentation.yml`	`huggingface/doc-builder/.github/workflows/build_main_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`build_pr_documentation.yml`	`huggingface/doc-builder/.github/workflows/build_pr_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`upload_pr_documentation.yml`	`huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`self-scheduled-amd-mi250-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi250-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi250-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi250-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi325-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled_arc_scale_set.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi325-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled_arc_scale_set.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi325-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled_arc_scale_set.yaml`	`main`	`main`	`a88e7fa2eaee…`
`self-scheduled-amd-mi325-caller.yml`	`huggingface/hf-workflows/.github/workflows/transformers_amd_ci_scheduled_arc_scale_set.yaml`	`main`	`main`	`a88e7fa2eaee…`
`codeql.yml`	`huggingface/security-workflows/.github/workflows/codeql-reusable.yml`	`main`	`main`	`1b6a139c28db…`
`check-workflow-permissions.yml`	`huggingface/security-workflows/.github/workflows/permissions-advisor-reusable.yml`	`main`	`main`	`1b6a139c28db…`
`ssh-runner.yml`	`huggingface/tailscale-action`	`main`	`main`	`7d53c9737e53…`
`model_jobs.yml`	`actions/upload-artifact`	`v4`	`v4`	`ea165f8d65b6…`
`model_jobs.yml`	`huggingface/transformers/.github/workflows/collated-reports.yml`	`main`	`main`	`6abd9725ee7d…`
`release.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`release.yml`	`actions/setup-python`	`v5`	`v5`	`a26af69be951…`
`release.yml`	`actions/upload-artifact`	`v4`	`v4`	`ea165f8d65b6…`
`release.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`release.yml`	`actions/download-artifact`	`v4`	`v4`	`d3f86a106a0b…`
`release.yml`	`pypa/gh-action-pypi-publish`	`release/v1`	`release/v1`	`ed0c53931b1d…`
`trufflehog.yml`	`actions/checkout`	`v4`	`v6.0.2`	`de0fac2e4500…`
`trufflehog.yml`	`trufflesecurity/trufflehog`	`main`	`main`	`6bd2d14f7a4b…`

🤖 Generated by /github-actions-audit — [security/pin-actions-to-sha]

Closes #45182

Closes huggingface/tracking-issues#43

HuggingFaceDocBuilderDev · 2026-04-02T08:10:09Z

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

github-actions · 2026-04-02T08:27:04Z

[For maintainers] Suggested jobs to run (before merge)

run-slow: vit

github-actions · 2026-04-02T08:51:47Z

View the CircleCI Test Summary for this PR:

https://huggingface.co/spaces/transformers-community/circle-ci-viz?pr=45180&sha=2e8ca3

ydshieh

great security!

* 🔒 pin add-model-like.yml actions to commit SHAs * 🔒 pin benchmark.yml actions to commit SHAs * 🔒 pin extras-smoke-test.yml actions to commit SHAs * 🔒 pin circleci-failure-summary-comment.yml actions to commit SHAs * 🔒 pin assign-reviewers.yml actions to commit SHAs * 🔒 pin release-conda.yml actions to commit SHAs * 🔒 pin build-ci-docker-images.yml actions to commit SHAs * 🔒 pin build_documentation.yml actions to commit SHAs * 🔒 pin build_pr_documentation.yml actions to commit SHAs * 🔒 pin upload_pr_documentation.yml actions to commit SHAs * 🔒 pin self-scheduled-amd-mi250-caller.yml actions to commit SHAs * 🔒 pin self-scheduled-amd-mi325-caller.yml actions to commit SHAs * 🔒 pin codeql.yml actions to commit SHAs * 🔒 pin check-workflow-permissions.yml actions to commit SHAs * 🔒 pin ssh-runner.yml actions to commit SHAs * 🔒 pin model_jobs.yml actions to commit SHAs * 🔒 pin release.yml actions to commit SHAs * 🔒 pin trufflehog.yml actions to commit SHAs

paulinebm added 18 commits April 2, 2026 09:59

🔒 pin add-model-like.yml actions to commit SHAs

12b15f7

🔒 pin benchmark.yml actions to commit SHAs

d25970c

🔒 pin extras-smoke-test.yml actions to commit SHAs

a99e196

🔒 pin circleci-failure-summary-comment.yml actions to commit SHAs

7178244

🔒 pin assign-reviewers.yml actions to commit SHAs

12a7c20

🔒 pin release-conda.yml actions to commit SHAs

029f39c

🔒 pin build-ci-docker-images.yml actions to commit SHAs

44150e7

🔒 pin build_documentation.yml actions to commit SHAs

4d57c68

🔒 pin build_pr_documentation.yml actions to commit SHAs

e043144

🔒 pin upload_pr_documentation.yml actions to commit SHAs

370b456

🔒 pin self-scheduled-amd-mi250-caller.yml actions to commit SHAs

ce42c32

🔒 pin self-scheduled-amd-mi325-caller.yml actions to commit SHAs

85cce68

🔒 pin codeql.yml actions to commit SHAs

1aea0f0

🔒 pin check-workflow-permissions.yml actions to commit SHAs

34dd1aa

🔒 pin ssh-runner.yml actions to commit SHAs

7dc48d5

🔒 pin model_jobs.yml actions to commit SHAs

c9d2d62

🔒 pin release.yml actions to commit SHAs

561a182

🔒 pin trufflehog.yml actions to commit SHAs

b0e15ab

paulinebm mentioned this pull request Apr 2, 2026

🔒 Track: Pin GitHub Actions to commit SHAs #45182

Closed

ydshieh force-pushed the security/pin-actions-to-sha branch from 2e8ca32 to b0e15ab Compare April 2, 2026 09:11

ydshieh marked this pull request as ready for review April 2, 2026 09:11

github-actions Bot requested review from ArthurZucker and Rocketknight1 April 2, 2026 09:11

ydshieh approved these changes Apr 2, 2026

View reviewed changes

ydshieh merged commit abc417a into main Apr 2, 2026
25 of 28 checks passed

ydshieh deleted the security/pin-actions-to-sha branch April 2, 2026 09:12

evalstate mentioned this pull request Apr 28, 2026

Cumulative defect fixes from recent Transformers PRs evalstate/transformers#41

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔒 Pin GitHub Actions to commit SHAs#45180

🔒 Pin GitHub Actions to commit SHAs#45180
ydshieh merged 18 commits intomainfrom
security/pin-actions-to-sha

paulinebm commented Apr 2, 2026 •

edited

Loading

Uh oh!

HuggingFaceDocBuilderDev commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

github-actions Bot commented Apr 2, 2026

Uh oh!

ydshieh left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

paulinebm commented Apr 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!