Skip to content

Pin third-party actions to commit SHAs#418

Merged
kplattret merged 1 commit into
mainfrom
pin-third-party-actions
Jun 18, 2026
Merged

Pin third-party actions to commit SHAs#418
kplattret merged 1 commit into
mainfrom
pin-third-party-actions

Conversation

@kplattret

Copy link
Copy Markdown
Member

Summary

Pins all third-party GitHub Actions to full-length commit SHAs, following GitHub's secure-use guidance. A version tag (e.g. @v3) is mutable — whoever controls the action can move it to point at new code. Pinning to an immutable commit SHA prevents a compromised or repointed tag from silently running in our workflows.

The human-readable version is preserved as a trailing comment (# v3), and Dependabot continues to bump both the SHA and the comment.

Actions pinned

Action Version Workflow(s)
dorny/paths-filter v4 codeql
shivammathur/setup-php v2 php
stefandanaita/git-subtree-action 1.2.0 php
actions-ecosystem/action-regex-match v2 node, ruby
ruby/setup-ruby v1 ruby
dtolnay/rust-toolchain stable rust
MarcoIeni/release-plz-action v0.5 rust
gradle/wrapper-validation-action v3.5.0 java, java7
mathieudutour/github-tag-action v6.2 java, java7
softprops/action-gh-release v3 java, java7

Notes

  • GitHub-owned actions left on tagsactions/* (checkout, cache, setup-*) and github/codeql-action/* are first-party and out of scope for the third-party guidance.
  • dtolnay/rust-toolchain@stable pins the action code only; it still installs the latest stable Rust toolchain at runtime, so build behavior is unchanged.
  • Only uses: lines changed — no logic or permissions changes.

🤖 Generated with Claude Code

Pin all non-GitHub-owned actions to full-length commit SHAs per
https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
to prevent a moved tag from silently introducing malicious code. The
version is kept as a trailing comment, and Dependabot continues to bump
both the SHA and comment. GitHub-owned actions/* and github/* are left
on tags.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@kplattret
kplattret requested a review from a team as a code owner June 18, 2026 12:59
@kplattret
kplattret requested a review from Copilot June 18, 2026 13:01

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Not ready to approve

The PHP workflow still uses the deprecated ::set-output command in the same touched hunk and should be updated to $GITHUB_OUTPUT to avoid future runner incompatibilities.

Pull request overview

This PR hardens the repository’s CI/CD security posture by pinning third-party GitHub Actions to immutable commit SHAs (while preserving the human-readable tag/version in trailing comments) across the language workflows.

Changes:

  • Replace third-party uses: owner/action@tag references with uses: owner/action@<full SHA> # <tag> in workflows.
  • Pin the Rust release automation action (release-plz) and Rust toolchain action code to SHAs.
  • Pin third-party actions used for release/tagging and wrapper validation in Java/Java7 workflows.
File summaries
File Description
.github/workflows/rust.yml Pins Rust toolchain and release-plz third-party actions to SHAs.
.github/workflows/ruby.yml Pins ruby/setup-ruby and regex-match third-party actions to SHAs.
.github/workflows/php.yml Pins PHP setup and git-subtree third-party actions to SHAs.
.github/workflows/node.yml Pins regex-match third-party action to a SHA.
.github/workflows/java.yml Pins wrapper validation, tag creation, and GH release third-party actions to SHAs.
.github/workflows/java7.yml Pins wrapper validation, tag creation, and GH release third-party actions to SHAs.
.github/workflows/codeql.yml Pins dorny/paths-filter third-party action to a SHA.

Copilot's findings

  • Files reviewed: 7/7 changed files
  • Comments generated: 1

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/php.yml
@kplattret
kplattret merged commit 42a37e3 into main Jun 18, 2026
34 checks passed
@kplattret
kplattret deleted the pin-third-party-actions branch June 18, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants