Skip to content

Pin GitHub Actions to SHAs [SRE-1802]#8

Draft
tylergohl wants to merge 2 commits into
masterfrom
sre-1802-pin-actions-to-shas
Draft

Pin GitHub Actions to SHAs [SRE-1802]#8
tylergohl wants to merge 2 commits into
masterfrom
sre-1802-pin-actions-to-shas

Conversation

@tylergohl

@tylergohl tylergohl commented May 21, 2026

Copy link
Copy Markdown

Summary

Pin GitHub Actions references in this repo to immutable commit SHAs (with the original tag/branch preserved in a trailing comment). Part of SRE-1802 — org-wide supply-chain hardening.

Scope

This PR pins:

  • Internal ctrliq/* reusable workflow and action references
  • External actions not handled by clo-ciq's parallel Node 20 effort

No actions in this repo were claimed by clo-ciq's effort — this PR pins everything.

Files touched

  • .github/workflows/main.yaml
  • .github/workflows/pr.yaml

Test plan

  • Workflow runs succeed on this branch (or on next trigger after merge)
  • Once this and any companion clo-ciq PR merge, this repo has zero unpinned external/internal refs and sha_pinning_required can be enabled on it

Copilot AI review requested due to automatic review settings May 21, 2026 01:38

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Supply-chain hardening update to make GitHub Actions workflow dependencies immutable by pinning external actions to specific commit SHAs.

Changes:

  • Pinned actions/checkout to a commit SHA in both PR and release workflows (with the prior major version retained as a comment).
  • Pinned docker/login-action and docker/setup-qemu-action to commit SHAs in the release workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/pr.yaml Pins actions/checkout to an immutable commit SHA for PR CI runs.
.github/workflows/main.yaml Pins actions/checkout, docker/login-action, and docker/setup-qemu-action to immutable commit SHAs for tag/release builds.
Comments suppressed due to low confidence (1)

.github/workflows/main.yaml:30

  • run: is defined as a YAML mapping here (because it has no scalar value) rather than a string, which GitHub Actions expects for a step run. This will cause the workflow to fail to parse/execute. Use run: <command> on the same line, or run: | and indent the command(s) under it.
      - name: Build/Push to GitHub Container Registry
        run:
          make push-multiarch PULL_BASE_REF=$(git describe --tags --abbrev=0) REGISTRY_NAME=ghcr.io/ctrliq BUILD_PLATFORMS="linux amd64 amd64 -amd64; linux arm64 arm64 -arm64"

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants