Skip to content

ci: pin GitHub Actions to SHAs#2292

Open
jonchurch wants to merge 1 commit intoexpressjs:redesignfrom
jonchurch:ci/pin-actions-to-sha
Open

ci: pin GitHub Actions to SHAs#2292
jonchurch wants to merge 1 commit intoexpressjs:redesignfrom
jonchurch:ci/pin-actions-to-sha

Conversation

@jonchurch
Copy link
Copy Markdown
Member

@jonchurch jonchurch commented Apr 22, 2026
edited
Loading

The Problem

We want to ensure that our actions are pinned so we dont get rekt in a takeover

The Solution

SHA pin all the actions being used on the redesign branch.

SHAs were resolved via gh api repos/OWNER/REPO/commits/TAG --jq .sha

The main branch wasnt all pinned, so the lack of pinning wasnt necessarily new to the redesign, but this PR ensures that we pin them all.

@jonchurch
ci: pin GitHub Actions to SHAs
95c9221 
Resolve all tag-referenced actions in .github/workflows/ to full
commit SHAs, preserving the original tag as an inline comment.
@jonchurch jonchurch requested a review from a team as a code owner April 22, 2026 20:00
@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 22, 2026
edited
Loading

Deploy Preview for expressjscom-preview ready!

Name Link
🔨 Latest commit 95c9221
🔍 Latest deploy log https://app.netlify.com/projects/expressjscom-preview/deploys/69e928eb0f4658000892f356
😎 Deploy Preview https://deploy-preview-2292--expressjscom-preview.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 96 (no change from production)
Accessibility: 100 (🟢 up 13 from production)
Best Practices: 100 (no change from production)
SEO: 100 (🟢 up 6 from production)
PWA: 80 (🟢 up 50 from production)
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify project configuration.

krzysdz
krzysdz approved these changes Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@krzysdz krzysdz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified all manually (only if hashes match versions; not a code audit). Some actions use different versions in different jobs and some don't use the latest version:

  • actions/setup-node - v4 is used once, rest (3) uses v6 (latest version)
  • actions/upload-artifact - v7 is available, v4 is used in 2 jobs, v6 is used in 1 job
  • actions/download-artifact - v8 is available, v4 is used in 1 job
  • actions/deploy-pages - v5 is available, v4 is used in 1 job
  • actions/cache - v5 is available, v4 is used in 1 job

I did not check compatibility or review changes (some releases have only a few days and if we pin versions for security reason, the code probably should be audited when the version changes).

github/codeql-action/* actions probably don't require pinning by hash, because releases (and corresponding tags) are immutable. A patch version tag (e.g. v4.35.2) should always point to the same commit if we trust GitHub to have implemented this feature correctly.

@krzysdz krzysdz added the github_actions Pull requests that update GitHub Actions code label Apr 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@krzysdz krzysdz krzysdz approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonchurch @krzysdz