Pin workflow actions to specific SHA (latest minor version)#4831
Merged
timdorr merged 1 commit intoDec 11, 2025
Merged
Conversation
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. |
2 tasks
Contributor
Author
|
Oh, weird, the original workflow checks are working again! I'm guessing the security policies got switched back? :0 Maybe this PR should've been an issue first haha, feel free to close this if not needed! C: |
Member
|
Yes, we turned off that setting for now. We had done so for RTK's repo, but it was org-wide. We can still do this for each repo and get towards better reproducibility, even with the setting off. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
name: 🐛 Bug fix or new feature
about: Fixing a problem with Redux
PR Type
Does this PR add a new feature, or fix a bug?
Fix a bug
Why should this PR be included?
I am hoping that it can help Github workflow tests run properly again.
Checklist
.github/workflowsare changed. GitHub actions ran fine when I pushed to my remote branch, though: https://github.com/Talos0248/redux/actions/runs/20124498806Bug Fixes
What is the current behavior, and the steps to reproduce the issue?
Currently, when opening a PR, Github workflow tests fail, as I believe security policies of the redux repo requires actions to be pinned to a specific SHA; however, current actions only use a generic tag (eg @v4)
What is the expected behavior?
When opening a PR, Github Workflow tests should NOT throw an error when setting up the job and instead should run properly. Example error that this should fix:
How does this PR fix the problem?
I have pinned a specific SHA to each GitHub workflow action. I have chosen the latest minor version available at time of writing (e.g.
v4.3.0foractions/download-artifact@v4). Full list of changes as well as link to release and their SHA values is as follows:actions/checkout@v4
https://github.com/actions/checkout/releases/tag/v4.3.1
34e114876b0b11c390a56381ad16ebd13914f8d5
dorny/paths-filter@v3
https://github.com/dorny/paths-filter/releases/tag/v3.0.2
de90cc6fb38fc0963ad72b210f1f284cd68cea36
actions/setup-node@v4
https://github.com/actions/setup-node/releases/tag/v4.4.0
49933ea5288caeca8642d1e84afbd3f7d6820020
actions/download-artifact@v4
https://github.com/actions/download-artifact/releases/tag/v4.3.0
d3f86a106a0bac45b974a628896c90dbdf5c8093
preactjs/compressed-size-action@v2
https://github.com/preactjs/compressed-size-action/releases/tag/2.8.0
946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a
actions/upload-artifact@v4
https://github.com/actions/upload-artifact/releases/tag/v4.6.2
ea165f8d65b6e75b540449e92b4886f43607fa02