Skip to content

ci: pin GitHub Actions hashes#2

Open
mbaraniak-exodus wants to merge 1 commit intomempoolfrom
mbaraniak/github-action-pinning
Open

ci: pin GitHub Actions hashes#2
mbaraniak-exodus wants to merge 1 commit intomempoolfrom
mbaraniak/github-action-pinning

Conversation

@mbaraniak-exodus
Copy link
Copy Markdown

@mbaraniak-exodus mbaraniak-exodus commented Apr 8, 2026

📝 Summary

Pin GitHub Actions used in CI workflows to full commit SHAs.

This removes floating action references and reduces supply-chain risk by ensuring workflow execution uses reviewed, immutable upstream revisions instead of tags that can be moved.

Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to improve supply-chain security by pinning GitHub Actions used in CI workflows to specific commit SHAs instead of floating version tags. This prevents malicious actors from compromising workflows by modifying tags on upstream repositories.

Changes:

  • Pin docker/setup-buildx-action in on-tag.yml workflow to a specific commit SHA with version reference
  • Pin vmactions/freebsd-vm in ci.yml workflow to a specific commit SHA with version reference

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/on-tag.yml Pins docker/setup-buildx-action to commit SHA 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3.12.0)
.github/workflows/ci.yml Pins vmactions/freebsd-vm to commit SHA c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e (v1.4.2)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/on-tag.yml

- name: Setup Docker buildx action
uses: docker/setup-buildx-action@v3
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this change pins docker/setup-buildx-action to a commit SHA, the PR only partially addresses the goal of pinning all GitHub Actions. Other unpinned actions in this same workflow include actions/checkout@v3 (line 45), docker/setup-qemu-action@v3 (line 48), and actions/cache@v3 (line 59). For complete supply-chain risk mitigation, consider pinning all floating action references in this workflow.

Copilot uses AI. Check for mistakes.
.github/workflows/ci.yml
key: freebsd-${{ env.FREEBSD_VER }}-cargo-checks-${{ hashFiles('**/Cargo.lock') }}
- name: Compile Checks in FreeBSD
uses: vmactions/freebsd-vm@v1
uses: vmactions/freebsd-vm@c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e # v1.4.2
Copy link

Copilot AI Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this change pins vmactions/freebsd-vm to a commit SHA, the PR only partially addresses the goal of pinning all GitHub Actions. Other unpinned actions in this same workflow include actions/checkout@v4 (lines 15, 26, 37, 50, 100) and actions/cache@v3 (line 52). For complete supply-chain risk mitigation, consider pinning all floating action references in this workflow.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ale-exo ale-exo Awaiting requested review from ale-exo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbaraniak-exodus