ci: pin GitHub Actions to full commit SHAs (S7637)#4995
Merged
Conversation
Pin every third-party and first-party action reference to its full commit SHA with a trailing version comment (Dependabot convention), resolving the githubactions:S7637 security hotspots. 66 references across 20 workflow files; behavior unchanged (each SHA is the tip of the previously-used tag). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Quote $GITHUB_OUTPUT (SC2086) and replace the constant '[ ${{ ... }} ]'
test with a direct GitHub expression (SC2078) so the reporter actually
branches on the event type instead of always returning github-pr-review.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Pin the 15 action references inside .github/actions/*/action.yml to full commit SHAs with version comments, matching the workflow files. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add an Actionlint workflow (reviewdog/action-actionlint, SHA-pinned) that runs on changes to .github/workflows/** and .github/actions/**, failing on any finding so workflow/composite-action issues are caught in CI. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Re-resolve every pinned action to its latest release and record the full version in the comment. Functional bumps: actions/cache v5->v6.1.0 (composite actions, now unified with the workflows), chabad360/htmlproofer master->v2 (branch->release tag), actions/attest-build-provenance v4.1.0->v4.1.1. All other SHAs already pointed at the latest release tip; comments updated from major tags (e.g. v7) to exact versions (e.g. v7.0.0). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Contributor
|
Thank you @arturcic for your contribution! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pins every action reference in
.github/workflows/to a full commit SHA with a trailing# <version>comment (the Dependabot convention, keeping versions human-readable), resolving thegithubactions:S7637security hotspots ("Use full commit SHA hash for this dependency").Details
gittools/cicd/*,github/codeql-action/*) pinned to their shared repo SHA with subpaths preserved.actionlintclean (only pre-existingdocs.ymlshellcheck warnings remain, untouched here).🤖 Generated with Claude Code