DEVOPS-8397: chore(security): pin external GitHub Actions to commit SHAs#617
Conversation
Pin external third-party actions to full-length commit SHAs with a trailing version comment to mitigate mutable-tag supply-chain attacks. Internal SecureAuthCorp/* references intentionally left on floating tags. No functional change: each SHA resolves to the commit the existing tag points to. DEVOPS-8397
lgonczarik
left a comment
There was a problem hiding this comment.
Approved: external GitHub Actions pinned to commit SHAs (supply-chain hardening), no functional change.
svcdevopsgit2-sa
left a comment
There was a problem hiding this comment.
Approve: pin external GitHub Actions to commit SHAs (DEVOPS-8397). Verified each pinned SHA matches its version tag; no functional change.
jgutikonda-sa
left a comment
There was a problem hiding this comment.
Reviewed as part of the DEVOPS-8397 batch. Pin-only change: external GitHub Actions moved from floating tags to immutable commit SHAs with version comments preserved. Verified each pinned SHA resolves to its corresponding upstream version tag (checkout@v2/v3, dependabot/fetch-metadata@v1.1.1, docker/setup-qemu-action@v1, docker/setup-buildx-action@v1, docker/login-action@v1, docker/build-push-action@v2, EndBug/add-and-commit@v9, devops-infra/action-pull-request@v0.5.3). Only .github/workflows/* touched, no functional changes. LGTM ✅
Summary
Pin every external third-party GitHub Action to a full-length commit SHA with a
trailing version comment, mitigating the mutable-tag supply-chain attack class
(e.g. the
tj-actions/changed-filescompromise). A moved tag can no longer swapcode into our CI — the SHA is immutable, and the comment preserves the original
version for readability and Renovate updates.
Internal
SecureAuthCorp/*references are intentionally left on floating tags(
@main/@v1) — same-org sources where floating is by design and theexternal-maintainer threat does not apply.
No functional change: every SHA resolves to the exact commit the existing tag
currently points to.
This mirrors the org
github-actionsrepo change (PR #90).JIRA: https://secureauth.atlassian.net/browse/DEVOPS-8397