Skip to content

INFRA-953: pin actions/checkout to SHA v6.0.2#289

Merged
kszarek merged 1 commit intomasterfrom
INFRA-232-pin-actions-checkout
Apr 21, 2026
Merged

INFRA-953: pin actions/checkout to SHA v6.0.2#289
kszarek merged 1 commit intomasterfrom
INFRA-232-pin-actions-checkout

Conversation

@lgd-michallasisz
Copy link
Copy Markdown
Contributor

@lgd-michallasisz lgd-michallasisz commented Apr 20, 2026

Requestor/Issue: @lgd-michallasisz / INFRA-232 / INFRA-953
Risk: Low
Tested: yes, on DevOPS owned repositories. Repository owner should test on their repo
Description: |
GitHub Actions using Node.js older than Node 24 will be deprecated

This repository was flagged in our audit: actions/checkout is referenced without SHA pinning and/or does not use the current stable Node 24 runtime (v6.0.2).

While reviewing old-node actions and not-SHA-pinned actions across repositories(Deprecation of Node 20 in Github Actions, we noticed that actions/checkout accounts for a significant share of outstanding items. Since v6.0.2 ships with a Node 24 runtime and pinning to SHA is a self-contained, low-risk change, we treated this as a safe low-hanging fruit and raised this PR on your behalf.

Tag-based references (@v4, @v6) are mutable — a tag can be silently moved to a different commit. SHA pinning guarantees every workflow run uses the exact, audited release and prevents supply-chain attacks via tag mutation.

Please review, approve, and test before merging.

What is being changed

All .github/ workflow files and composite actions updated:

actions/checkout@<tag|branch|sha>  →  actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

References

🤖 Co-authored-by: Claude Code

@lgd-michallasisz
pin actions/checkout to SHA v6.0.2 (INFRA-232)
2acff96 
Replace all uses: actions/checkout@<tag|sha> with the SHA-pinned
reference for v6.0.2:
  actions/checkout@de0fac2  # v6.0.2

Supply-chain hardening — pinning to exact SHA prevents tag mutation.
Part of INFRA-232 Node 24 migration and governance work.
@lgd-michallasisz lgd-michallasisz requested a review from a team as a code owner April 20, 2026 13:21
@kszarek kszarek merged commit 98db6a2 into master Apr 21, 2026
3 checks passed
@kszarek kszarek deleted the INFRA-232-pin-actions-checkout branch April 21, 2026 06:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kolodziejczykmaciek Kolodziejczykmaciek Kolodziejczykmaciek approved these changes

@GabiBia GabiBia Awaiting requested review from GabiBia GabiBia is a code owner automatically assigned from AirHelp/devops

@leszek-rozkiewicz leszek-rozkiewicz Awaiting requested review from leszek-rozkiewicz leszek-rozkiewicz is a code owner automatically assigned from AirHelp/devops

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lgd-michallasisz @Kolodziejczykmaciek @kszarek