Skip to content

chore(ci): pin actions/{download,upload}-artifact to immutable SHAs#14001

Merged
chenjiahan merged 1 commit into
mainfrom
security/pin-action-shas
May 12, 2026
Merged

chore(ci): pin actions/{download,upload}-artifact to immutable SHAs#14001
chenjiahan merged 1 commit into
mainfrom
security/pin-action-shas

Conversation

@stormslowly

@stormslowly stormslowly commented May 12, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Pin every actions/download-artifact and actions/upload-artifact reference under .github/ to a commit SHA plus a # vX.Y.Z comment.

Changes

File From To
.github/actions/artifact/download/action.yml actions/download-artifact@v4.1.7 @65a9edc5... # v4.1.7
.github/actions/artifact/upload/action.yml actions/upload-artifact@v4 @ea165f8d... # v4.6.2
.github/workflows/bench-rust.yml actions/upload-artifact@v4 @ea165f8d... # v4.6.2
.github/workflows/preview-commit.yml actions/download-artifact@v4.1.7 @65a9edc5... # v4.1.7
.github/workflows/release-canary.yml actions/download-artifact@v4.1.7 @65a9edc5... # v4.1.7
.github/workflows/release-debug.yml actions/download-artifact@v4.1.7 @65a9edc5... # v4.1.7
.github/workflows/reusable-build-test.yml actions/upload-artifact@v4 @ea165f8d... # v4.6.2
.github/workflows/reusable-release-npm.yml actions/download-artifact@v4.1.7 @65a9edc5... # v4.1.7

8 files, 8 single-line replacements. No semantic change to workflow behavior.

Resolved SHAs (verified against upstream tags):

gh api repos/actions/download-artifact/git/ref/tags/v4.1.7 --jq .object.sha
# 65a9edc5881444af0b9093a5e628f2fe47ea3b2e

gh api repos/actions/upload-artifact/git/ref/tags/v4.6.2 --jq .object.sha
# ea165f8d65b6e75b540449e92b4886f43607fa02

Test plan

  • CI passes (workflows still resolve and run the pinned SHAs)
  • Manually confirm grep -rE "actions/(upload|download)-artifact@v[0-9]" .github/ returns empty
  • On the next release dispatch, confirm the artifact upload/download steps still succeed

Replace floating tag references (download-artifact@v4.1.7, upload-artifact@v4)
with commit SHAs plus version comments, closing the supply-chain vector
exploited in the tj-actions/changed-files 2025 incident, where a tag
rewrite by a compromised maintainer propagates to every downstream
workflow that still resolves the tag at run time.

- actions/download-artifact -> 65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
- actions/upload-artifact   -> ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

Both SHAs verified against upstream:
  gh api repos/actions/download-artifact/git/ref/tags/v4.1.7
  gh api repos/actions/upload-artifact/git/ref/tags/v4.6.2

This is Phase 1 of a broader supply-chain hardening initiative motivated
by the TanStack 2026-05-11 npm compromise; remaining phases (npm OIDC
trusted publishing, optionalDependencies whitelist lint, ecosystem-
benchmark PR isolation, etc.) land in follow-up PRs.
Copilot AI review requested due to automatic review settings May 12, 2026 02:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub’s first-party artifact actions to immutable commit SHAs across the repository’s workflows and composite actions to reduce supply-chain risk from tag rewrites, while preserving existing workflow behavior.

Changes:

  • Replace actions/download-artifact@v4.1.7 with a pinned commit SHA annotated as # v4.1.7.
  • Replace actions/upload-artifact@v4 with a pinned commit SHA annotated as # v4.6.2.
  • Apply these pins consistently across workflows and the local composite artifact actions under .github/actions/.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/actions/artifact/download/action.yml Pin actions/download-artifact to an immutable SHA (# v4.1.7).
.github/actions/artifact/upload/action.yml Pin actions/upload-artifact to an immutable SHA (# v4.6.2).
.github/workflows/bench-rust.yml Pin actions/upload-artifact to an immutable SHA (# v4.6.2).
.github/workflows/preview-commit.yml Pin actions/download-artifact to an immutable SHA (# v4.1.7).
.github/workflows/release-canary.yml Pin actions/download-artifact to an immutable SHA (# v4.1.7).
.github/workflows/release-debug.yml Pin actions/download-artifact to an immutable SHA (# v4.1.7).
.github/workflows/reusable-build-test.yml Pin actions/upload-artifact to an immutable SHA (# v4.6.2).
.github/workflows/reusable-release-npm.yml Pin actions/download-artifact to an immutable SHA (# v4.1.7).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions

Copy link
Copy Markdown
Contributor

📦 Binary Size-limit

Comparing 4849556 to chore(deps): update dependency mermaid to v11.15.0 [security] (#13997) by renovate[bot]

🙈 Size remains the same at 61.97MB

@github-actions

Copy link
Copy Markdown
Contributor

Rsdoctor Bundle Diff Analysis

Found 6 projects in monorepo, 0 projects with changes.

📊 Quick Summary
Project Total Size Change
popular-libs 1.7 MB 0
react-10k 5.7 MB 0
react-1k 826.3 KB 0
react-5k 2.7 MB 0
rome 1.6 MB 0
ui-components 4.8 MB 0

Generated by Rsdoctor GitHub Action

@codspeed-hq

codspeed-hq Bot commented May 12, 2026

Copy link
Copy Markdown
Contributor

Merging this PR will not alter performance

✅ 34 untouched benchmarks
⏩ 25 skipped benchmarks1


Comparing security/pin-action-shas (4849556) with main (46dec16)

Open in CodSpeed

Footnotes

  1. 25 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@stormslowly stormslowly changed the title security(ci): pin actions/{download,upload}-artifact to immutable SHAs chore(ci): pin actions/{download,upload}-artifact to immutable SHAs May 12, 2026
@chenjiahan chenjiahan merged commit f102c62 into main May 12, 2026
78 checks passed
@chenjiahan chenjiahan deleted the security/pin-action-shas branch May 12, 2026 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants