SHA-pin all GitHub Actions; bump action-gh-release v2 -> v3.0.0#14
Merged
Conversation
The previous release workflow run logged the GitHub Actions deprecation warning for Node 20-based actions: Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: softprops/action-gh-release@v2. Upstream v3.0.0 is a runtime-only bump: bundle target moves from Node 20 to Node 24, no API or behavioural changes. The v2 line stays pinned to 2.6.2 for fleets that don't yet have Node 24, which we don't need. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The release job runs in the protected `release` environment and has the code-signing PFX in scope. A floating major tag (@V3) on a third-party action means an upstream account compromise could be used to repoint the tag at malicious code that exfiltrates the signing secrets or modifies what gets uploaded post-signing. Pin to the v3.0.0 commit so future bumps are deliberate and reviewable. A trailing comment preserves the human-readable version so reviewers don't have to resolve the SHA manually. `actions/checkout` is first-party (GitHub itself) and is left on its floating major tag. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the release workflow to use a SHA-pinned softprops/action-gh-release v3.0.0 action, addressing the Node 20 deprecation warning while reducing mutable-tag supply-chain risk in the protected release job.
Changes:
- Replaces
softprops/action-gh-release@v2with the reviewed commit SHA for v3.0.0. - Adds inline comments documenting why the third-party release action is pinned and how future updates should be handled.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Make the action-pinning policy consistent across the repo: every workflow now references its dependencies by full commit SHA with a trailing comment showing the human-readable version. The previous commit pinned softprops/action-gh-release (third-party, runs in the signing-secrets environment); this one applies the same treatment to actions/checkout for consistency, even though it is first-party and the supply-chain risk profile is lower. @v5 currently floats to v5.0.1 (93cb6ef), so this is a no-op in terms of bits shipped to the runner today; future v5.x bumps will now require a deliberate SHA change rather than appearing implicitly. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
andrewyager
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related workflow-hardening changes, applied consistently across
ci.yml,release.yml, andtest-signing.yml.1. Bump
softprops/action-gh-releasev2 -> v3.0.0Addresses the Node-20 deprecation warning that surfaced on the
v1.1.0release run. Upstreamv3.0.0is a runtime-only change — bundle moves from Node 20 to Node 24, no API/behavioural differences per the release notes.2. SHA-pin every action
All
uses:references now pin to a full commit SHA with a trailing comment showing the human-readable version:actions/checkout93cb6efe18208431cddfb8368fd83d5badbf9bfdsoftprops/action-gh-releaseb4309332981a82ec1c5618f44dd2e27cc8bfbfdaRationale: the release job has the code-signing PFX in scope via the protected
releaseenvironment. A mutable third-party major tag is the textbook target for a supply-chain attack — ifsoftpropsoractionswere ever compromised, repointing the tag would silently pull malicious code into the next run and could exfiltrate the cert. SHA-pinning removes that lever; future bumps now require a deliberate, reviewable change.actions/checkout@v5currently resolves to the same SHA as@v5.0.1, so the pin is a no-op in terms of bits shipped to runners today. The hardening kicks in the next time upstream releases a new minor or patch.Test plan
v1.1.1-rc1) and confirm the release workflow runs without the Node-20 deprecation warning and publishes the release artifact.gh api repos/actions/checkout/git/ref/tags/v5.0.1 --jq '.object.sha'gh api repos/softprops/action-gh-release/git/ref/tags/v3.0.0 --jq '.object.sha'🤖 Generated with Claude Code