Skip to content

[TASK] Update and SHA-pin all GitHub Actions#1184

Open
CybotTM wants to merge 1 commit into
TYPO3-Documentation:mainfrom
CybotTM:feature/update-actions
Open

[TASK] Update and SHA-pin all GitHub Actions#1184
CybotTM wants to merge 1 commit into
TYPO3-Documentation:mainfrom
CybotTM:feature/update-actions

Conversation

@CybotTM

@CybotTM CybotTM commented Feb 22, 2026

Copy link
Copy Markdown
Contributor

Summary

Updates and SHA-pins all GitHub Actions in non-CI workflow files for supply
chain security.

main.yaml is excluded from this PR — it will be migrated to shared reusable
workflows via #1196.

Files changed

  • .github/workflows/docker.yaml — metadata-action, login-action, setup-qemu, setup-buildx, build-push, upload/download-artifact, checkout
  • .github/workflows/docker-test.yaml — checkout
  • .github/workflows/deploy-azure-assets.yaml — checkout
  • .github/workflows/split-repositories.yaml — checkout, cache, use-github-token, use-subsplit-publish
  • .github/workflows/pr-auto-merge.yaml — dependabot/fetch-metadata
  • .github/workflows/pr-auto-approve.yaml — dependabot/fetch-metadata

Version updates

All versions verified as latest releases via the GitHub API on 2026-07-04.

Action Old New SHA
actions/checkout SHA only (v6.0.2) v7.0.0 9c091bb2
actions/cache SHA only (v5.0.3) v6.1.0 55cc8345
docker/metadata-action SHA only v6.2.0 dc802804
docker/login-action SHA only v4.4.0 af1e73f9
docker/setup-qemu-action SHA only v4.2.0 96fe6ef7
docker/setup-buildx-action SHA only v4.2.0 bb05f3f5
docker/build-push-action SHA only v7.3.0 53b7df96
actions/upload-artifact SHA only v7.0.1 043fb46d
actions/download-artifact SHA only v8.0.1 3e5f45b2
dependabot/fetch-metadata SHA only v3.1.0 25dd0e34
frankdejonge/use-github-token SHA only 1.1.0 15e6289d
frankdejonge/use-subsplit-publish SHA only 1.1.0 00010151

Reviewer note on test coverage

Several bumps cross a major version (docker/* actions, upload/download-artifact, fetch-metadata, cache). Their latest release notes show no input/behavior breaking changes affecting our usage, but note that docker.yaml (publish path), split-repositories.yaml and deploy-azure-assets.yaml only run on push/tag events, so PR CI does not exercise them — worth a close look at the first post-merge runs.

Related

  • #1196 — Migrates main.yaml to shared reusable workflows

@CybotTM CybotTM marked this pull request as draft February 22, 2026 12:04
@CybotTM CybotTM changed the title [TASK] Update GitHub Actions to latest versions [TASK] Update and SHA-pin all GitHub Actions Feb 22, 2026
@CybotTM CybotTM marked this pull request as ready for review February 22, 2026 13:47
linawolf
linawolf previously approved these changes Mar 1, 2026
@linawolf

linawolf commented Mar 1, 2026

Copy link
Copy Markdown
Member

The best course of action seems to be to merge this and try it out and watch the first runs of the pipelines.

I see less risk in hardening the versions but you made major upgrades to some versions so we would have to watch the pipelines closely. Best would be to merge this when no TYPO3 Core releases are planned that week so we dont have suddenly all the important manuals rendering.

@CybotTM CybotTM force-pushed the feature/update-actions branch from c8903b8 to 123d809 Compare March 1, 2026 16:01
@sbuerk

sbuerk commented Mar 2, 2026

Copy link
Copy Markdown

Despite switching to commit hashes not discussing it for now, this pull-requests misses to provide a detail analysis and risk-assesment about raising marketplace action one or in some cases two major versions.

Actions following semver could introduce breaking things with new versions, dropping stuff and similar and possibile need adjustments. None of them is contained or mentioned in the pull-request nor the single commit messages.

Taken into account that this pull-request not only changes the version of official github provided actions, but also 3rd party market place actions this is would have to read that up.

Can you please provide a detailed risk-assesment about the raises and the analysis if there are changes or a statement about that it is okay with a reasoning for each of the updated action ?

Note

The list needs to be reviewable and easy verifiable, providing links
corresponding releases and/or upgrade information would be helpfull.

Important

DISCLAIMER Not part of the documentation team, above mentioned
statements are my personal view on this.

@CybotTM

CybotTM commented Mar 2, 2026

Copy link
Copy Markdown
Contributor Author

I am done with the PR, close it if it does not meet your ad-hoc requirements. I'm fine with rejecting this PR, would just be nice to have such requirements defined upfront not afterwards.

@CybotTM

CybotTM commented Mar 2, 2026

Copy link
Copy Markdown
Contributor Author

I added the major version changes, I skipped minor and bugfix, as these are already auto-merged currently.

@CybotTM

CybotTM commented Mar 2, 2026

Copy link
Copy Markdown
Contributor Author

Save CO² - update your node! ;-)

@linawolf linawolf dismissed their stale review March 2, 2026 07:25

Waiting for your discussion to resolve

@linawolf

linawolf commented Mar 2, 2026

Copy link
Copy Markdown
Member

To make review easie rand reduce scope, I would suggest to avoid mixing concerns and do the SHA pinning and Major version bumbs in separate PRs.

That way we can review the structural change (pinning) independently from the version upgrades.

Updates and SHA-pins all GitHub Actions in non-CI workflow files
(Docker, deploy, split-repositories, Dependabot auto-merge/approve).

main.yaml is excluded — it will be migrated to shared reusable
workflows via TYPO3-Documentation#1196.

Signed-off-by: Sebastian Mendel <github@sebastianmendel.de>
@CybotTM CybotTM force-pushed the feature/update-actions branch from 74bc804 to 70225eb Compare July 4, 2026 09:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants