Skip to content

Pin SHA1 to GHA + renovate config#3655

Merged
rastut merged 2 commits into
mainfrom
pin-gha-to-sha-renovate-config
May 15, 2026
Merged

Pin SHA1 to GHA + renovate config#3655
rastut merged 2 commits into
mainfrom
pin-gha-to-sha-renovate-config

Conversation

@rastut
Copy link
Copy Markdown
Contributor

@rastut rastut commented May 15, 2026

This pull request updates the GitHub Actions workflows to improve security and maintainability by pinning all third-party action dependencies to specific commit SHAs or version tags, rather than floating versions. This reduces the risk of unexpected changes or supply chain attacks from external dependencies. Additionally, a Renovate configuration is updated to pin digests for actions.

Key changes include:

Security and Dependency Management

  • All GitHub Actions in workflow files (such as actions/checkout, actions/setup-python, Swatinem/rust-cache, arduino/setup-protoc, astral-sh/setup-uv, etc.) are now referenced by specific commit SHAs or version tags instead of floating version numbers. This ensures consistent, reproducible builds and mitigates the risk of supply chain attacks. [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25]

  • .github/renovate.json: Updated to enable pinDigests for dependencies of type action, ensuring Renovate will automatically pin action digests in future PRs.

These changes collectively harden the CI/CD pipeline against external changes and improve traceability of workflow runs.

@codecov
Copy link
Copy Markdown

codecov Bot commented May 15, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.39%. Comparing base (dbb0b91) to head (31a7601).

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3655      +/-   ##
==========================================
- Coverage   85.45%   85.39%   -0.07%     
==========================================
  Files         563      563              
  Lines       48455    48455              
  Branches    14296    14296              
==========================================
- Hits        41409    41378      -31     
- Misses       6427     6460      +33     
+ Partials      619      617       -2
Flag Coverage Δ
nidx 79.87% <ø> (+0.02%) ⬆️
nucliadb 73.98% <ø> (-0.17%) ⬇️
nucliadb-ingest 43.80% <ø> (ø)
nucliadb-reader 43.81% <ø> (-0.02%) ⬇️
nucliadb-search 55.00% <ø> (-0.02%) ⬇️
nucliadb-standalone 46.21% <ø> (ø)
nucliadb-train 44.87% <ø> (ø)
nucliadb-writer 47.16% <ø> (+0.01%) ⬆️
nucliadb_dataset 73.62% <ø> (ø)
nucliadb_models 71.52% <ø> (ø)
nucliadb_sdk 83.00% <ø> (ø)
nucliadb_telemetry 85.70% <ø> (ø)
nucliadb_utils 80.94% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@rastut rastut merged commit 7bdbe3d into main May 15, 2026
45 checks passed
@rastut rastut deleted the pin-gha-to-sha-renovate-config branch May 15, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@javitonino javitonino javitonino approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rastut @javitonino