Skip to content

chore: pin GitHub Actions to verified commit SHAs#824

Open
bhimrazy wants to merge 2 commits into
Lightning-AI:mainfrom
bhimrazy:chore/pin-workflow-actions
Open

chore: pin GitHub Actions to verified commit SHAs#824
bhimrazy wants to merge 2 commits into
Lightning-AI:mainfrom
bhimrazy:chore/pin-workflow-actions

Conversation

@bhimrazy
Copy link
Copy Markdown
Collaborator

@bhimrazy bhimrazy commented May 26, 2026

What does this PR do?

Pins all GitHub Actions and reusable workflows to verified commit SHAs for supply chain security.

Follows the same pattern as pytorch-lightning#21735.

Pinned references

Action Release Commit SHA
actions/checkout v6.0.2 de0fac2e4500dabe0009e67214ff5f5447ce83dd
actions/setup-python v6.2.0 a309ff8b426b58ec0e2a45f0f869d46889d02405
actions/download-artifact v8.0.1 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
actions/github-script v9.0.0 3a2844b7e9c422d3c10d287c895573f7108da1b3
actions/first-interaction v3.1.0 1c4688942c71f71d4f5502a26ea67c331730fa4d
astral-sh/setup-uv v7.6.0 37802adc94f370d6bfd71619e3f0bf239e1f3b78
codecov/codecov-action v6.0.1 e79a6962e0d4c0c17b229090214935d2e33f8354
pypa/gh-action-pypi-publish v1.14.0 cef221092ed1bacb1cc03d23a2d87d1d172e277b
JamesIves/github-pages-deploy-action v4.8.0 d92aa235d04922e8f08b40ce78cc5442fcfbfa2f
Lightning-AI/utilities reusable workflows v0.15.3 86fe1b20b4609835ba9e8c8739cd39707ba76868

bhimrazy added 2 commits May 26, 2026 11:41
@bhimrazy
chore: pin GitHub Actions to verified commit SHAs
b3a8416 
Pins all workflow actions to full commit SHAs with version comments
for supply chain security, following the pattern in Lightning-AI/pytorch-lightning#21735.

Pinned actions:
- actions/checkout@v6 → de0fac2 (v6.0.2)
- actions/setup-python@v6 → a309ff8 (v6.2.0)
- actions/download-artifact@v8 → 3e5f45b (v8.0.1)
- actions/github-script@v9 → 3a2844b (v9.0.0)
- actions/first-interaction@v3 → 1c4688942c71f71d4f5502a26ea67c331730fa4d (v3.1.0)
- astral-sh/setup-uv@v7 → 37802ad (v7.6.0)
- codecov/codecov-action@v6 → e79a696 (v6.0.1)
- pypa/gh-action-pypi-publish@v1.14.0 → cef2210 (v1.14.0)
- JamesIves/github-pages-deploy-action@v4.8.0 → d92aa23 (v4.8.0)
@bhimrazy
chore: pin Lightning-AI/utilities reusable workflows to v0.15.3 SHA
c9b2f86
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented May 26, 2026
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81%. Comparing base (5213544) to head (c9b2f86).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files 
@@         Coverage Diff         @@
##           main   #824   +/-   ##
===================================
- Coverage    81%    81%   -0%     
===================================
  Files        54     54           
  Lines      7617   7617           
===================================
- Hits       6144   6143    -1     
- Misses     1473   1474    +1
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Borda Borda Borda approved these changes

@tchaton tchaton Awaiting requested review from tchaton tchaton is a code owner

@justusschock justusschock Awaiting requested review from justusschock justusschock is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bhimrazy @codecov-commenter @Borda