Skip to content

ci: pin GitHub Actions to SHA-256 commits#60

Merged
n8mgr merged 1 commit into
masterfrom
pin-actions
May 15, 2026
Merged

ci: pin GitHub Actions to SHA-256 commits#60
n8mgr merged 1 commit into
masterfrom
pin-actions

Conversation

@n8mgr

@n8mgr n8mgr commented May 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Pin every uses: reference in workflows to a specific commit SHA
  • Each pin is annotated with the corresponding version tag in a trailing comment
  • Versions stay within the existing major (e.g. @v4 → latest v4.x.y SHA) to avoid breaking changes

Why

Mitigates supply-chain attacks where a tag could be retargeted to malicious code. Pinning to a SHA is the recommended hardening practice.

Notes for reviewers

  • Annotated tags resolve to the underlying commit SHA (not the tag object)
  • For SiaFoundation/workflows@master and dtolnay/rust-toolchain@stable|nightly (which use a branch ref intentionally), the pin uses the current branch tip SHA — future updates will require a follow-up PR
  • This PR was generated by tooling; please skim each workflow diff

@n8mgr
ci: pin GitHub Actions to SHA-256 commits
26e48eb 
Pin all action references to specific commit SHAs to prevent supply-chain
attacks. Each pin is annotated with a human-readable version tag for clarity.
Versions stay within the existing major version to avoid breaking changes.
Copilot AI review requested due to automatic review settings May 15, 2026 16:26
@n8mgr n8mgr self-assigned this May 15, 2026
@n8mgr n8mgr requested review from ChrisSchinnerl and peterjan May 15, 2026 16:26
Copilot AI reviewed May 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins all GitHub Actions uses: references in workflows to specific commit SHAs (with version tag annotations) to mitigate supply-chain risks from tag retargeting.

Changes:

  • Replace tag-based action references (e.g., @v5) with full commit SHAs and trailing version comments across all workflows.
  • Pin SiaFoundation/workflows@master to a specific SHA snapshot of the master branch.
  • Update knope-dev/action pin from a bare SHA to a SHA annotated with # v2.1.2.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File Description
.github/workflows/release.yml Pin actions/checkout and knope-dev/action to SHAs with version comments.
.github/workflows/publish.yml Pin reusable SiaFoundation/workflows/.github/workflows/go-publish.yml to a master-branch SHA.
.github/workflows/prepare-release.yml Pin actions/checkout and knope-dev/action to SHAs with version comments.
.github/workflows/main.yml Pin actions/checkout, actions/setup-go, golangci-lint-action, and action-golang-test to SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@n8mgr n8mgr merged commit 633164f into master May 15, 2026
13 checks passed
@n8mgr n8mgr deleted the pin-actions branch May 15, 2026 17:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ChrisSchinnerl ChrisSchinnerl Awaiting requested review from ChrisSchinnerl

@peterjan peterjan Awaiting requested review from peterjan

Assignees

@n8mgr n8mgr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@n8mgr