Skip to content

Pin remaining GitHub Actions to SHAs for consistency #50918

Description

@ypfaff

While browsing the workflow files, I noticed that almost all external actions are pinned to a commit SHA with a version comment, e.g.:

uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Two actions are still referenced by a major-version tag:

It looks like actions/* actions were switched to tags in August 2025 (see the polish of #46787), while with 9b281d5 (#50835) actions/checkout was pinned to a SHA again. Should these two be pinned to SHAs as well?

If so, I'd be happy to submit a PR. 🙂

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions