Skip to content

feat: add SHA pinning validation for reusable workflow references#276

Open
TAJeffcock wants to merge 1 commit into
mainfrom
feat/sa-689-enforce-reusable-sha-pinning
Open

feat: add SHA pinning validation for reusable workflow references#276
TAJeffcock wants to merge 1 commit into
mainfrom
feat/sa-689-enforce-reusable-sha-pinning

Conversation

@TAJeffcock
Copy link
Copy Markdown

@TAJeffcock TAJeffcock commented May 22, 2026
edited by atlassian Bot
Loading

what

  • Adds a validation step to github-workflow-validation.yml that fails if any reusable workflow reference to appvia/appvia-cicd-workflows uses a tag or branch instead of a full commit SHA
  • Adds scripts/audit_sha_pinning.sh to discover non-compliant terraform-aws-* repositories across an org

why

  • Reusable workflow references pinned to tags or branches are mutable — a tag move or force-push could silently change what executes without review
  • This guardrail prevents regression by blocking PRs that introduce non-SHA references going forward
  • Part of supply-chain security standardisation across terraform-aws-* repositories (SA-689)

references

@TAJeffcock TAJeffcock requested a review from gambol99 May 22, 2026 16:08
@TAJeffcock TAJeffcock self-assigned this May 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gambol99 gambol99 Awaiting requested review from gambol99

At least 1 approving review is required to merge this pull request.

Assignees

@TAJeffcock TAJeffcock

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TAJeffcock