Skip to content

Pin GitHub Actions to commit SHAs#196

Merged
neonspectra merged 1 commit into
masterfrom
neon/github-actions-audit-remediation-2026-06-15
Jun 15, 2026
Merged

Pin GitHub Actions to commit SHAs#196
neonspectra merged 1 commit into
masterfrom
neon/github-actions-audit-remediation-2026-06-15

Conversation

@neonspectra

Copy link
Copy Markdown
Contributor

Summary

Pins GitHub Actions uses: references to verified full-length commit SHAs.

This prepares the repository for orgwide enforcement that blocks unpinned GitHub Actions and reduces supply-chain risk from mutable tags or branches.

Details

  • Replaced mutable external action refs such as owner/action@vN with full 40-character commit SHAs.
  • Preserved the originally intended tag/version as an inline comment next to each pin.
  • Resolved SHAs from the official upstream action repositories using git ls-remote.
  • For annotated tags, pinned the peeled commit SHA (refs/tags/<tag>^{}), not the tag object SHA.
  • No workflow behavior, inputs, permissions, or triggers were intentionally changed.

Pin external GitHub Actions used by workflows to verified full-length commit SHAs while preserving the referenced release tags in comments.

Co-authored-by: neon <neon@neosynth.net>

@iperzic iperzic left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, but I'm not sure whether CI failures have something to do with the changes?

@neonspectra

Copy link
Copy Markdown
Contributor Author

They were failing on the previous commit to master. Not related to anything as far as I can see. All this change does is pins the workflows to the version they're tagged as.

@neonspectra neonspectra merged commit 69a2190 into master Jun 15, 2026
0 of 2 checks passed
@neonspectra neonspectra deleted the neon/github-actions-audit-remediation-2026-06-15 branch June 15, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants