chore: pin Actions to commit SHA, lock npm versions, remove pull_request_target#24504
Merged
dvdksn merged 2 commits intodocker:mainfrom Mar 24, 2026
Merged
chore: pin Actions to commit SHA, lock npm versions, remove pull_request_target#24504dvdksn merged 2 commits intodocker:mainfrom
dvdksn merged 2 commits intodocker:mainfrom
Conversation
All mutable action tags replaced with verified commit SHAs to prevent supply-chain attacks via tag mutation. package.json ^ ranges replaced with exact versions from package-lock.json. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pr-review: drop pull_request_target (auto-review on open/ready_for_review). Manual /review via issue_comment is preserved and unaffected. labeler: replace pull_request_target with workflow_dispatch to disable automatic fork-PR labeling. Can be re-enabled by reverting this change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
dvdksn
added
agent/generated
status/review
✅ Deploy Preview for docsdocker ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
github-actions
bot
added
area/release
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR implements security hardening for GitHub Actions workflows with no issues detected:
✅ Action SHA pinning — All action references correctly pinned to full commit SHAs with tag comments for readability
✅ npm version locking — All ^ range prefixes removed, exact versions match package-lock.json
✅ pull_request_target removal — Correctly removed from pr-review.yml to prevent untrusted code execution
✅ Labeler workflow disabled — Intentionally replaced trigger with workflow_dispatch (can be re-enabled if needed)
The changes follow security best practices for supply chain hardening. No bugs or issues found.
aevesdocker
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening for GitHub Actions workflows:
@v4,@latest, etc.) with verified commit SHAs. Mutable tags are an active supply-chain attack vector. Tag retained as inline comment for readability.^range prefixes frompackage.json. Exact versions sourced frompackage-lock.json; no version changes.pull_request_targetfrompr-review.yml— auto-review on PR open/ready is dropped; manual/reviewcommand viaissue_commentis preserved and unaffected.pull_request_targettrigger withworkflow_dispatch. Workflow is kept but inert; can be re-enabled by reverting this change.