Skip to content

ci: pin GitHub Actions hashes#2

Open
mbaraniak-exodus wants to merge 2 commits intomempoolfrom
mbaraniak/github-action-pinning
Open

ci: pin GitHub Actions hashes#2
mbaraniak-exodus wants to merge 2 commits intomempoolfrom
mbaraniak/github-action-pinning

Conversation

@mbaraniak-exodus
Copy link
Copy Markdown

@mbaraniak-exodus mbaraniak-exodus commented Apr 8, 2026

📝 Summary

Pin GitHub Actions used in CI workflows to full commit SHAs.

This removes floating action references and reduces supply-chain risk by ensuring workflow execution uses reviewed, immutable upstream revisions instead of tags that can be moved.

Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to improve supply-chain security by pinning GitHub Actions used in CI workflows to specific commit SHAs instead of floating version tags. This prevents malicious actors from compromising workflows by modifying tags on upstream repositories.

Changes:

  • Pin docker/setup-buildx-action in on-tag.yml workflow to a specific commit SHA with version reference
  • Pin vmactions/freebsd-vm in ci.yml workflow to a specific commit SHA with version reference

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/on-tag.yml Pins docker/setup-buildx-action to commit SHA 8d2750c68a42422c14e847fe6c8ac0403b4cbd6f (v3.12.0)
.github/workflows/ci.yml Pins vmactions/freebsd-vm to commit SHA c9f815bc7aa0d34c9fdd0619b034a32d6ca7b57e (v1.4.2)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ale-exo
ale-exo approved these changes Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

@ale-exo ale-exo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

  • https://github.com/docker/setup-buildx-action/releases/tag/v3.12.0
  • https://github.com/vmactions/freebsd-vm/releases/tag/v1.4.2

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

ale-exo
ale-exo approved these changes Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

@ale-exo ale-exo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

  • https://github.com/actions/cache/releases/tag/v3.4.0
  • https://github.com/actions/checkout/releases/tag/v4.3.1
  • https://github.com/actions/checkout/releases/tag/v3.6.0
  • https://github.com/docker/setup-qemu-action/releases/tag/v3.7.0
  • https://github.com/docker/setup-buildx-action/releases/tag/v3.12.0
  • https://github.com/actions/github-script/releases/tag/v7.1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ale-exo ale-exo ale-exo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mbaraniak-exodus @ale-exo