chore: pin GitHub Actions to full-length commit SHAs#563
Merged
Vaiz merged 2 commits intoJul 14, 2026
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Pins several GitHub Actions uses: references to full-length commit SHAs (with version comments) to improve workflow reproducibility and reduce supply-chain risk, and updates Dependabot configuration for GitHub Actions update cadence.
Changes:
- Replace
actions/checkout@v7.0.0with a full-length commit SHA across multiple workflows. - Pin additional third-party actions (e.g.,
amannn/action-semantic-pull-request,mozilla-actions/sccache-action,actions-rust-lang/setup-rust-toolchain,wild-linker/action) to full-length commit SHAs. - Add a 7-day
cooldownfor thegithub-actionsecosystem in.github/dependabot.yml.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/publish-gh-release.yml | Pins actions/checkout to a full commit SHA for release workflow reproducibility. |
| .github/workflows/nightly.yml | Pins actions/checkout to a full commit SHA across nightly jobs. |
| .github/workflows/main.yml | Pins actions/checkout and amannn/action-semantic-pull-request to full SHAs in CI workflow. |
| .github/workflows/codeql.yml | Pins actions/checkout to a full SHA for CodeQL workflow. |
| .github/dependabot.yml | Adds a 7-day cooldown for GitHub Actions updates. |
| .github/actions/setup/action.yml | Pins several setup-step actions to full SHAs within the composite setup action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
|
closed until bot is verified |
Vaiz
reviewed
Jul 13, 2026
Contributor
|
@copilot, pin remaining actions |
ralfbiedert
approved these changes
Jul 13, 2026
ralfbiedert
approved these changes
Jul 13, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #563 +/- ##
=======================================
Coverage 100.0% 100.0%
=======================================
Files 360 360
Lines 27886 27886
=======================================
Hits 27886 27886 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
- Add code comments next to codecov/codecov-action, github/codeql-action (init+analyze), and taiki-e/install-action noting these are intentionally left tag-pinned because their releases are immutable (verified via the GitHub API 'immutable: true' field), so a SHA pin adds no extra supply-chain protection. - Clarify the dependabot.yml cooldown comment: the 7-day cooldown gives security researchers time to detect/report a compromised Action release before Dependabot proposes it, not to group updates. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
5da7f08 to
2a368dd
Compare
st-dev-gh
approved these changes
Jul 14, 2026
sandersaares
approved these changes
Jul 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility, and adds a 7-day cooldown to the Dependabot configuration for GitHub Actions updates.
Why?
Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.
This change mitigates the risk of tag retargeting to malicious code as seen in incidents like the tj-actions/changed-files compromise or codfish/semantic-release-action compromise, and improves the integrity and reproducibility of the CI/CD pipeline.
What changed?
Action pinning: Third-party action references in
.github/workflows/and.github/actions/setup/action.ymlthat used mutable tag-based references have been updated to full-length commit SHAs with a version comment (e.g.,actions/checkout@<sha> # v7.0.0) using pinact:actions/checkout@v7.0.0@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0amannn/action-semantic-pull-request@v6.1.1@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1mozilla-actions/sccache-action@v0.0.10@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10actions-rust-lang/setup-rust-toolchain@v1.16.1@46268bd060767258de96ed93c1251119784f2ab6 # v1.16.1wild-linker/action@0.9.0@0bbbfa5df4380cab8e63cb8505a1ce65e1d10203 # 0.9.0Immutable-release exceptions (intentionally left as tags): The following actions publish their releases as GitHub immutable releases — verified via the GitHub API (
"immutable": trueon the release), meaning the tag is cryptographically locked and can never be retargeted to a different commit after publication. Pinning these to a SHA would add no additional supply-chain protection, so they are intentionally left as mutable-looking tags, with a code comment at each usage site documenting the verification:codecov/codecov-action@v7.0.0—.github/workflows/main.ymlgithub/codeql-action/init@v4.36.2—.github/workflows/codeql.ymlgithub/codeql-action/analyze@v4.36.2—.github/workflows/codeql.ymltaiki-e/install-action@v2.81.8—.github/actions/setup/action.ymlYou can verify immutability yourself via
GET https://api.github.com/repos/<owner>/<repo>/releases/tags/<tag>and checking theimmutablefield.Dependabot configuration:
.github/dependabot.ymlnow has agithub-actionspackage-ecosystem section with acooldownofdefault-days: 7. The important part of this change is the 7-day cooldown itself, not grouping: it delays newly published Action versions from being proposed by Dependabot for 7 days, giving the community/security researchers a window to detect and report a compromised or "poisoned" release before it's automatically pulled into this repo. If the file did not exist, it was created; if agithub-actionssection already existed, only thecooldownblock was added (or itsdefault-daysraised to 7 if lower).Is this safe to merge?
Yes. The pinned SHAs correspond to the same commits the existing tags pointed to. No behavioral changes are introduced. You can verify a pinned SHA via the GitHub REST API (e.g.,
GET https://api.github.com/repos/actions/checkout/commits/v7returns theshamatching the pin).For more information, visit https://aka.ms/action-pinning