chore(ci): pin actions/{download,upload}-artifact to immutable SHAs#14001
Conversation
Replace floating tag references (download-artifact@v4.1.7, upload-artifact@v4) with commit SHAs plus version comments, closing the supply-chain vector exploited in the tj-actions/changed-files 2025 incident, where a tag rewrite by a compromised maintainer propagates to every downstream workflow that still resolves the tag at run time. - actions/download-artifact -> 65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 - actions/upload-artifact -> ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 Both SHAs verified against upstream: gh api repos/actions/download-artifact/git/ref/tags/v4.1.7 gh api repos/actions/upload-artifact/git/ref/tags/v4.6.2 This is Phase 1 of a broader supply-chain hardening initiative motivated by the TanStack 2026-05-11 npm compromise; remaining phases (npm OIDC trusted publishing, optionalDependencies whitelist lint, ecosystem- benchmark PR isolation, etc.) land in follow-up PRs.
There was a problem hiding this comment.
Pull request overview
Pins GitHub’s first-party artifact actions to immutable commit SHAs across the repository’s workflows and composite actions to reduce supply-chain risk from tag rewrites, while preserving existing workflow behavior.
Changes:
- Replace
actions/download-artifact@v4.1.7with a pinned commit SHA annotated as# v4.1.7. - Replace
actions/upload-artifact@v4with a pinned commit SHA annotated as# v4.6.2. - Apply these pins consistently across workflows and the local composite artifact actions under
.github/actions/.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/actions/artifact/download/action.yml | Pin actions/download-artifact to an immutable SHA (# v4.1.7). |
| .github/actions/artifact/upload/action.yml | Pin actions/upload-artifact to an immutable SHA (# v4.6.2). |
| .github/workflows/bench-rust.yml | Pin actions/upload-artifact to an immutable SHA (# v4.6.2). |
| .github/workflows/preview-commit.yml | Pin actions/download-artifact to an immutable SHA (# v4.1.7). |
| .github/workflows/release-canary.yml | Pin actions/download-artifact to an immutable SHA (# v4.1.7). |
| .github/workflows/release-debug.yml | Pin actions/download-artifact to an immutable SHA (# v4.1.7). |
| .github/workflows/reusable-build-test.yml | Pin actions/upload-artifact to an immutable SHA (# v4.6.2). |
| .github/workflows/reusable-release-npm.yml | Pin actions/download-artifact to an immutable SHA (# v4.1.7). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
📦 Binary Size-limit
🙈 Size remains the same at 61.97MB |
Rsdoctor Bundle Diff AnalysisFound 6 projects in monorepo, 0 projects with changes. 📊 Quick Summary
Generated by Rsdoctor GitHub Action |
Merging this PR will not alter performance
Comparing Footnotes
|
Summary
actions/download-artifactandactions/upload-artifactreference under.github/to a commit SHA plus a# vX.Y.Zcomment.Changes
.github/actions/artifact/download/action.ymlactions/download-artifact@v4.1.7@65a9edc5...# v4.1.7.github/actions/artifact/upload/action.ymlactions/upload-artifact@v4@ea165f8d...# v4.6.2.github/workflows/bench-rust.ymlactions/upload-artifact@v4@ea165f8d...# v4.6.2.github/workflows/preview-commit.ymlactions/download-artifact@v4.1.7@65a9edc5...# v4.1.7.github/workflows/release-canary.ymlactions/download-artifact@v4.1.7@65a9edc5...# v4.1.7.github/workflows/release-debug.ymlactions/download-artifact@v4.1.7@65a9edc5...# v4.1.7.github/workflows/reusable-build-test.ymlactions/upload-artifact@v4@ea165f8d...# v4.6.2.github/workflows/reusable-release-npm.ymlactions/download-artifact@v4.1.7@65a9edc5...# v4.1.78 files, 8 single-line replacements. No semantic change to workflow behavior.
Resolved SHAs (verified against upstream tags):
Test plan
grep -rE "actions/(upload|download)-artifact@v[0-9]" .github/returns empty