Skip to content

Pin workflow action dependencies #683

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 14, 2025
Merged

Pin workflow action dependencies #683

merged 1 commit into from
Aug 14, 2025

Conversation

bdehamer
Copy link
Collaborator

Update workflows to properly pin referenced actions by SHA

Also removes the publish-immutable-actions workflow.

@bdehamer
pin workflow deps
4e46f90 
Signed-off-by: Brian DeHamer <[email protected]>
@Copilot Copilot AI review requested due to automatic review settings August 14, 2025 22:10
@bdehamer bdehamer requested a review from a team as a code owner August 14, 2025 22:10
Copilot
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Updates GitHub Actions workflows to improve security by pinning action dependencies to specific SHA hashes instead of mutable version tags, and removes the publish-immutable-actions workflow.

  • Replaces version tags (e.g., @v4) with SHA hashes and version comments for all action dependencies
  • Updates several actions to newer versions while pinning them securely
  • Removes the entire publish-immutable-actions.yml workflow file

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/publish-immutable-actions.yml Complete removal of workflow file
.github/workflows/prober.yml Pin upload-artifact action to SHA hash
.github/workflows/linter.yml Pin checkout and setup-node actions to SHA hashes with version updates
.github/workflows/codeql-analysis.yml Pin checkout and CodeQL actions to SHA hashes with version updates
.github/workflows/ci.yml Pin setup-node action to SHA hash with version update
.github/workflows/check-dist.yml Pin checkout and setup-node actions to SHA hashes with version updates

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@bdehamer bdehamer merged commit 8bd83f1 into main Aug 14, 2025
19 checks passed
@bdehamer bdehamer deleted the bdehamer/workflow-fixup branch August 14, 2025 22:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@jkylekelly jkylekelly jkylekelly approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bdehamer @jkylekelly