Skip to content

fix: pin GitHub Actions to SHA for supply chain security#634

Merged
riccardosarro merged 3 commits into
developfrom
fix/github-action-sha-pinning
Jun 23, 2026
Merged

fix: pin GitHub Actions to SHA for supply chain security#634
riccardosarro merged 3 commits into
developfrom
fix/github-action-sha-pinning

Conversation

@riccardosarro

Copy link
Copy Markdown
Contributor

Summary

Pin all GitHub Actions to full commit SHAs for supply chain security.

Actions referenced by tag or branch have been resolved to their commit SHA, with the original ref preserved as an inline comment. Where a sub-action had unpinned transitive dependencies, the action was upgraded to the closest newer version where all sub-actions are fully pinned.

References to this repo's own reusable workflows / composite actions have been rewritten to relative ./ paths, which run from the current commit and are exempt from SHA-pinning enforcement.

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
@riccardosarro riccardosarro added the vimeo-sha-pinning-enforcement PRs opened by gha-sha-pinning automation label Jun 22, 2026
@security-claw

Copy link
Copy Markdown
Contributor

❌ CI failing — pre-existing on base, PR is not the cause.

Failing checks:

  • build (Test workflow): actions/cache v2 deprecated by GitHub (##[error] uses a deprecated version of actions/cache: c64c57…). Base branch (develop) uses the same actions/cache@v2.1.6 — no prior Test workflow runs exist on develop, but the deprecation is infrastructure-level and pre-dates this PR.
  • submit-gradle (Automatic Dependency Submission): pre-existing failure on develop (last ran 2026-03-26, concluded failure). Workflow file not modified by this PR.

Pin analysis: all 5 modified uses: lines are pure SHA pins of the same version (no bumps). PR is safe from a pinning perspective but cannot be merged due to pre-existing CI breakage.

@security-claw

Copy link
Copy Markdown
Contributor

❌ CI failing — pre-existing on base branch (develop), not introduced by this PR.

Failing checks:

Job Workflow Cause Pre-existing?
build Test (test.yml) actions/cache@v2.1.6 deprecated by GitHub (v1/v2 shutdown) Yes — develop uses the same actions/cache@v2.1.6 tag
submit-gradle Automatic Dependency Submission (Gradle) Workflow not modified by this PR Yes — already failing on develop since 2026-03-26 (run #23592177968)

Pin-vs-bump analysis: All 10 modified uses: lines are pure SHA pins (old version == new resolved version). No version bumps detected. This PR is safe from a supply-chain perspective.

Not merging because required CI checks are red. The actions/cache v2 deprecation needs to be resolved separately (upgrade to v3/v4) before this PR or any other can pass CI.

@security-claw

Copy link
Copy Markdown
Contributor

❌ CI failing — pre-existing on base, PR is not the cause.

Failing checks:

Job Workflow Cause
build Test actions/cache@v2.1.6 (SHA c64c572…) has been deprecated by GitHub. The develop branch uses the same actions/cache@v2.1.6 — any PR targeting develop would hit this failure.
submit-gradle Automatic Dependency Submission Dynamic workflow not modified by this PR. Already failing on develop (last run: 2026-03-26, conclusion: failure).

Bump-vs-pin analysis: All 5 action changes across test.yml and shipit.yml are pure SHA pins of the existing version (no version bumps):

  • actions/checkout v2.3.4 → v2.3.4
  • actions/cache v2.1.6 → v2.1.6
  • actions/setup-java v2.2.0 → v2.2.0
  • ruby/setup-ruby v1.81.0 → v1.81.0
  • 8398a7/action-slack v3 → v3

Decision: Not merging. CI failures are pre-existing on develop, not introduced by this PR. The deprecated actions/cache@v2.1.6 needs to be upgraded to v3/v4 on develop before this (or any) PR can pass CI.

@security-claw

Copy link
Copy Markdown
Contributor

❌ CI failing — pre-existing on base, not introduced by this PR.

Failing checks:

  1. build (Test workflow) — fails at "Set up job" because actions/cache@v2.1.6 (SHA c64c572…) has been deprecated by GitHub. The base branch (develop) uses the same actions/cache@v2.1.6 tag which resolves to the identical deprecated SHA — this is a platform-level deprecation, not caused by the pin.

  2. submit-gradle (Automatic Dependency Submission) — fails at "validate-project" with BUILD FAILED / "Gradle validation failed in repository root." The same workflow was already failing on develop (run #23592177968, 2026-03-26) with the identical error.

Bump-vs-pin analysis: all 5 changed uses: lines are pure SHA pins of the same version (no version bumps). PR is safe from a pinning perspective, but CI must be green before merging. Not merging.

GitHub retired actions/cache v1/v2 on Feb 1, 2025; runs requesting
those versions auto-fail at the 'Getting action download info' step
regardless of SHA pinning. v4 is input-compatible with v2 so no
workflow changes beyond the version bump are needed.

Ref: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down
@riccardosarro

Copy link
Copy Markdown
Contributor Author

CI red for unrelated reasons, repo has been unmaintained 2.5 years

@riccardosarro riccardosarro merged commit 0457e17 into develop Jun 23, 2026
1 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

vimeo-sha-pinning-enforcement PRs opened by gha-sha-pinning automation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants