Skip to content

ci: pin third-party GitHub Actions to commit SHAs#125

Merged
dvcdsys merged 1 commit into
mainfrom
fix/pin-github-actions-sha
Jul 2, 2026
Merged

ci: pin third-party GitHub Actions to commit SHAs#125
dvcdsys merged 1 commit into
mainfrom
fix/pin-github-actions-sha

Conversation

@dvcdsys

@dvcdsys dvcdsys commented Jul 2, 2026

Copy link
Copy Markdown
Owner

What

Pin every third-party GitHub Action to the commit SHA of its current release, across all workflows:

Action Was Now
docker/setup-buildx-action @v3 @8d2750c… # v3.12.0
docker/login-action @v4 @c99871d… # v4.3.0
docker/build-push-action @v6 @10e90e3… # v6.19.2
softprops/action-gh-release @v3 @718ea10… # v3.0.1
aquasecurity/trivy-action @0.35.0 @57a97c7… # 0.35.0

First-party actions/* stay on tags (GitHub-owned, immutable, not flagged by CodeQL).

Why

CodeQL actions/unpinned-tag flagged these. A mutable version tag can be re-pointed (compromised maintainer / hijacked tag) and would then inject arbitrary code into the release workflows — which hold contents: write and the Docker Hub credentials (DOCKER_USERNAME/DOCKER_PASSWORD). SHA pins remove that class of supply-chain risk. The already-configured Dependabot github-actions ecosystem will bump the SHAs going forward, so they don't rot.

Covers not just the 6 refs flagged on #107 but the pre-existing occurrences too (release-server.yml doubles, llama-pin-check.yml).

Clears code-scanning alerts 14, 18, 20, 33, 44–49, 64.

Test

  • actionlint clean on the touched uses: lines (only pre-existing unrelated sha256sum * shellcheck infos remain).
  • No behavioural change — same action versions, immutable refs.

🤖 Generated with Claude Code

CodeQL (actions/unpinned-tag) flagged docker/setup-buildx-action,
docker/login-action, docker/build-push-action, softprops/action-gh-release,
and aquasecurity/trivy-action as pinned to mutable version tags. A repointed
or hijacked tag would inject arbitrary code into the release workflows, which
hold `contents: write` and the Docker Hub credentials (DOCKER_USERNAME/PASSWORD).

Pin every third-party action to the commit SHA of its current release across
all workflows (not just the ones flagged in PR #107 — also the pre-existing
occurrences in release-server.yml and llama-pin-check.yml). The trailing
`# vX.Y.Z` comment keeps them readable; the already-configured Dependabot
github-actions ecosystem will bump the SHAs going forward. First-party
actions/* stay on tags (immutable, not flagged).

Clears code-scanning alerts 14, 18, 20, 33, 44-49, 64.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dvcdsys dvcdsys merged commit 2798f33 into main Jul 2, 2026
6 checks passed
@dvcdsys dvcdsys deleted the fix/pin-github-actions-sha branch July 2, 2026 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant