Skip to content

ci: pin GitHub Actions to commit SHAs#450

Merged
nkbranigan merged 1 commit into
probml:mainfrom
nkbranigan:ci/pin-actions-to-sha
Jun 25, 2026
Merged

ci: pin GitHub Actions to commit SHAs#450
nkbranigan merged 1 commit into
probml:mainfrom
nkbranigan:ci/pin-actions-to-sha

Conversation

@nkbranigan

Copy link
Copy Markdown
Collaborator

Pin GitHub Actions by SHA to implement security best practices.

  • Behavior is not changed, with each action pinned to the same commit as currently.
  • Security best practices recommend that all GitHub Actions be pinned by SHA rather than referred to by, for example, tags (GitHub, OSSF, OWASP). Not using SHAs can be exploited by attackers (for example GHSA-mrrh-fwg8-r2c3).
  • I verified for each action that the SHA and tag pins are identical by running the following code:
    tag_sha_test.py

@nkbranigan nkbranigan merged commit 968c282 into probml:main Jun 25, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant