Skip to content

chore: pin GitHub Actions to full-length commit SHAs#563

Merged
Vaiz merged 2 commits into
microsoft:mainfrom
OssSecurityBot:oss-security-bot/pin-actions
Jul 14, 2026
Merged

chore: pin GitHub Actions to full-length commit SHAs#563
Vaiz merged 2 commits into
microsoft:mainfrom
OssSecurityBot:oss-security-bot/pin-actions

Conversation

@OssSecurityBot

@OssSecurityBot OssSecurityBot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility, and adds a 7-day cooldown to the Dependabot configuration for GitHub Actions updates.

Why?

Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.

This change mitigates the risk of tag retargeting to malicious code as seen in incidents like the tj-actions/changed-files compromise or codfish/semantic-release-action compromise, and improves the integrity and reproducibility of the CI/CD pipeline.

What changed?

Action pinning: Third-party action references in .github/workflows/ and .github/actions/setup/action.yml that used mutable tag-based references have been updated to full-length commit SHAs with a version comment (e.g., actions/checkout@<sha> # v7.0.0) using pinact:

Action Old ref New ref
actions/checkout @v7.0.0 @9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
amannn/action-semantic-pull-request @v6.1.1 @48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
mozilla-actions/sccache-action @v0.0.10 @9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10
actions-rust-lang/setup-rust-toolchain @v1.16.1 @46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1
wild-linker/action @0.9.0 @0bbbfa5df4380cab8e63cb8505a1ce65e1d10203 # 0.9.0

Immutable-release exceptions (intentionally left as tags): The following actions publish their releases as GitHub immutable releases — verified via the GitHub API ("immutable": true on the release), meaning the tag is cryptographically locked and can never be retargeted to a different commit after publication. Pinning these to a SHA would add no additional supply-chain protection, so they are intentionally left as mutable-looking tags, with a code comment at each usage site documenting the verification:

You can verify immutability yourself via GET https://api.github.com/repos/<owner>/<repo>/releases/tags/<tag> and checking the immutable field.

Dependabot configuration: .github/dependabot.yml now has a github-actions package-ecosystem section with a cooldown of default-days: 7. The important part of this change is the 7-day cooldown itself, not grouping: it delays newly published Action versions from being proposed by Dependabot for 7 days, giving the community/security researchers a window to detect and report a compromised or "poisoned" release before it's automatically pulled into this repo. If the file did not exist, it was created; if a github-actions section already existed, only the cooldown block was added (or its default-days raised to 7 if lower).

Is this safe to merge?

Yes. The pinned SHAs correspond to the same commits the existing tags pointed to. No behavioral changes are introduced. You can verify a pinned SHA via the GitHub REST API (e.g., GET https://api.github.com/repos/actions/checkout/commits/v7 returns the sha matching the pin).


For more information, visit https://aka.ms/action-pinning

Copilot AI review requested due to automatic review settings July 10, 2026 14:29

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins several GitHub Actions uses: references to full-length commit SHAs (with version comments) to improve workflow reproducibility and reduce supply-chain risk, and updates Dependabot configuration for GitHub Actions update cadence.

Changes:

  • Replace actions/checkout@v7.0.0 with a full-length commit SHA across multiple workflows.
  • Pin additional third-party actions (e.g., amannn/action-semantic-pull-request, mozilla-actions/sccache-action, actions-rust-lang/setup-rust-toolchain, wild-linker/action) to full-length commit SHAs.
  • Add a 7-day cooldown for the github-actions ecosystem in .github/dependabot.yml.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/publish-gh-release.yml Pins actions/checkout to a full commit SHA for release workflow reproducibility.
.github/workflows/nightly.yml Pins actions/checkout to a full commit SHA across nightly jobs.
.github/workflows/main.yml Pins actions/checkout and amannn/action-semantic-pull-request to full SHAs in CI workflow.
.github/workflows/codeql.yml Pins actions/checkout to a full SHA for CodeQL workflow.
.github/dependabot.yml Adds a 7-day cooldown for GitHub Actions updates.
.github/actions/setup/action.yml Pins several setup-step actions to full SHAs within the composite setup action.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/main.yml
Comment thread .github/workflows/codeql.yml
Comment thread .github/actions/setup/action.yml
@Vaiz

Vaiz commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

closed until bot is verified

@Vaiz Vaiz closed this Jul 10, 2026
@microsoft microsoft locked as spam and limited conversation to collaborators Jul 10, 2026
@Vaiz Vaiz reopened this Jul 13, 2026
@microsoft microsoft unlocked this conversation Jul 13, 2026
Comment thread .github/workflows/codeql.yml
@Vaiz Vaiz changed the title Pin GitHub Actions to full-length commit SHAs chore: pin GitHub Actions to full-length commit SHAs Jul 13, 2026
@Vaiz

Vaiz commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

@copilot, pin remaining actions

@ralfbiedert ralfbiedert enabled auto-merge (squash) July 13, 2026 15:44
Copilot AI review requested due to automatic review settings July 13, 2026 15:44

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Comment thread .github/dependabot.yml
Comment thread .github/workflows/codeql.yml
Comment thread .github/workflows/main.yml
Copilot AI review requested due to automatic review settings July 13, 2026 15:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 4 comments.

Comment thread .github/actions/setup/action.yml
Comment thread .github/workflows/main.yml
Comment thread .github/workflows/codeql.yml
Comment thread .github/dependabot.yml
@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.0%. Comparing base (dde8653) to head (2a368dd).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #563   +/-   ##
=======================================
  Coverage   100.0%   100.0%           
=======================================
  Files         360      360           
  Lines       27886    27886           
=======================================
  Hits        27886    27886           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI review requested due to automatic review settings July 14, 2026 04:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

OssSecurityBot and others added 2 commits July 14, 2026 05:49
- Add code comments next to codecov/codecov-action, github/codeql-action
  (init+analyze), and taiki-e/install-action noting these are intentionally
  left tag-pinned because their releases are immutable (verified via the
  GitHub API 'immutable: true' field), so a SHA pin adds no extra
  supply-chain protection.
- Clarify the dependabot.yml cooldown comment: the 7-day cooldown gives
  security researchers time to detect/report a compromised Action release
  before Dependabot proposes it, not to group updates.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings July 14, 2026 04:49
@Vaiz Vaiz force-pushed the oss-security-bot/pin-actions branch from 5da7f08 to 2a368dd Compare July 14, 2026 04:49

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

@Vaiz Vaiz marked this pull request as draft July 14, 2026 08:56
auto-merge was automatically disabled July 14, 2026 08:56

Pull request was converted to draft

@Vaiz Vaiz marked this pull request as ready for review July 14, 2026 08:57
@Vaiz Vaiz merged commit 2cf0ffe into microsoft:main Jul 14, 2026
60 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants