Skip to content

ci: pin third-party GitHub Actions to verified release SHAs#446

Open
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-third-party-actions
Open

ci: pin third-party GitHub Actions to verified release SHAs#446
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-third-party-actions

Conversation

@Vamshi-Microsoft

Copy link
Copy Markdown
Contributor

Purpose

  • Pin third-party GitHub Actions to specific release commit SHAs (instead of mutable version tags) for reproducible and immutable workflow runs.
  • Replace the tj-actions/changed-files action in the broken-link checker with a built-in git diff step, which removes a third-party dependency from change detection.

Changes:

  • .github/workflows/broken-links-checker.yml — replace tj-actions/changed-files with a built-in git diff step; pin lycheeverse/lychee-action to 8646ba3 (v2.8.0).
  • .github/workflows/pr-title-checker.yml — pin amannn/action-semantic-pull-request to 48f2562 (v6.1.1).
  • .github/workflows/unit-tests-dotnet.yml — pin MishaKav/pytest-coverage-comment to e48ae95 (v1.8.0); pin EnricoMi/publish-unit-test-result-action to d0a4676 (v2.24.0).
  • .github/workflows/unit-tests.yml — pin MishaKav/pytest-coverage-comment to e48ae95 (v1.8.0); pin EnricoMi/publish-unit-test-result-action to d0a4676 (v2.24.0).

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid

  • ...

Other Information

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Coverage

.NET Coverage Report •
FileStmtsMissCoverMissing
TOTAL196597% 
report-only-changed-files is enabled. No files were changed during this commit :)

@github-actions

Copy link
Copy Markdown

Unit Test Results

489 tests  ±0   489 ✅ ±0   8s ⏱️ ±0s
  1 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit 141eb76. ± Comparison against base commit a1da9ee.

@github-actions

Copy link
Copy Markdown

.NET Unit Test Results

206 tests   206 ✅  1s ⏱️
  1 suites    0 💤
  1 files      0 ❌

Results for commit 141eb76.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves CI supply-chain security and reproducibility by pinning third-party GitHub Actions to immutable commit SHAs, and simplifies the broken-link checker by replacing a third-party changed-files action with a native git diff-based implementation.

Changes:

  • Pin several third-party Actions to specific verified commit SHAs across multiple workflows.
  • Replace tj-actions/changed-files usage in the broken-link workflow with a git diff step that sets equivalent outputs.
  • Pin lycheeverse/lychee-action to a specific commit SHA for deterministic runs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/broken-links-checker.yml Replace changed-file detection with git diff output and pin lycheeverse/lychee-action to a SHA.
.github/workflows/pr-title-checker.yml Pin amannn/action-semantic-pull-request to a specific commit SHA.
.github/workflows/unit-tests-dotnet.yml Pin coverage comment + test result publishing actions to specific commit SHAs.
.github/workflows/unit-tests.yml Pin coverage comment + test result publishing actions to specific commit SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/broken-links-checker.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants