Skip to content

ci: pin third-party GitHub Actions to commit SHAs#1439

Open
valter-silva-au wants to merge 1 commit into
awslabs:mainfrom
valter-silva-au:ci/pin-actions-to-commit-shas
Open

ci: pin third-party GitHub Actions to commit SHAs#1439
valter-silva-au wants to merge 1 commit into
awslabs:mainfrom
valter-silva-au:ci/pin-actions-to-commit-shas

Conversation

@valter-silva-au

Copy link
Copy Markdown

Description

Pins all third-party GitHub Actions in .github/workflows/ to immutable commit SHAs, extending the convention this repo already applies to Swatinem/rust-cache and re-actors/alls-green (both already carry a # Pinned to the commit hash of <tag> comment).

Motivation

  • Supply chain: a mutable tag (@v4) or branch (@master) ref can be silently re-pointed at different code; a 40-char commit SHA is immutable. This is the OpenSSF Scorecard Pinned-Dependencies check.
  • Deprecation: actions/checkout@v3 runs on the deprecated Node 16 runtime. This change also retires it.

Changes

All SHAs are the current head of the same tag/branch that was referenced before — behavior is unchanged.

Action Before After Files
actions/checkout @v3 SHA of v4.3.1 ci.yaml (×4), audit.yaml (×2) — retires Node 16
actions/checkout @v4 SHA of v4.3.1 canary.yaml (×3), release-checks.yaml (×2) — pinned for consistency
dtolnay/rust-toolchain @master pinned commit SHA ci.yaml (×2), audit.yaml (×2), canary.yaml (×2)
actions/github-script @v7 SHA of v7.1.0 issue-regression-labeler.yml (×1)

AWS-owned actions (aws-actions/*, aws-github-ops/*) are intentionally left on their major-version tags.

Each pinned line carries a # Pinned to the commit hash of <tag> comment matching the existing style, so the human-readable version stays visible.

Out of scope (possible follow-up)

A minimal .github/dependabot.yml (github-actions ecosystem) would keep these pins fresh automatically. Happy to add it here or in a separate PR if you'd prefer.

Verification

  • grep -rEn "uses: .+@(v[0-9]|master)" .github/workflows/ now returns only the four intentional AWS-owned actions.
  • All five edited workflow files parse as valid YAML.

Prior art for GitHub Actions maintenance on this repo: #662, #1054 (both merged).

@valter-silva-au valter-silva-au requested a review from a team as a code owner June 27, 2026 07:54
@valter-silva-au valter-silva-au force-pushed the ci/pin-actions-to-commit-shas branch 2 times, most recently from 8827150 to 0c79398 Compare July 7, 2026 14:07
Pin all third-party actions in `.github/workflows/` to immutable commit
SHAs, extending the convention the repo already applies to
`Swatinem/rust-cache` and `re-actors/alls-green` (each carrying a
"# Pinned to the commit hash of <tag>" comment).

- actions/checkout: bump `@v3` -> SHA of v4.3.1 in ci.yaml (4x) and
  audit.yaml (2x), retiring the deprecated Node 16 runtime; pin the
  existing `@v4` uses in canary.yaml (3x) and release-checks.yaml (2x)
  to the same SHA so checkout is consistent repo-wide.
- dtolnay/rust-toolchain: replace the floating `@master` branch (ci 2x,
  audit 2x, canary 2x) with a pinned commit SHA.
- actions/github-script: pin `@v7` -> SHA of v7.1.0 in
  issue-regression-labeler.yml.

AWS-owned actions (aws-actions/*, aws-github-ops/*) are intentionally
left on their major-version tags. Behavior is unchanged: every SHA is
the head of the same tag/branch previously referenced.

Mitigates the OpenSSF Scorecard Pinned-Dependencies finding: a mutable
tag or branch ref can be repointed at malicious code, whereas a commit
SHA is immutable.
@valter-silva-au valter-silva-au force-pushed the ci/pin-actions-to-commit-shas branch from 0c79398 to 2016033 Compare July 8, 2026 05:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant