Skip to content

[Security] Pin GitHub Actions to a full-length commit SHA#489

Merged
Anilm3 merged 1 commit intomasterfrom
pin-github-actions-1773667943
Mar 16, 2026
Merged

[Security] Pin GitHub Actions to a full-length commit SHA#489
Anilm3 merged 1 commit intomasterfrom
pin-github-actions-1773667943

Conversation

@juliendoutre
Copy link
Copy Markdown
Contributor

@juliendoutre juliendoutre commented Mar 16, 2026

Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the DataDog organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the tj-actions incident). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to #sdlc-security on Slack.

Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like in this example.

This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.

@juliendoutre juliendoutre requested a review from a team as a code owner March 16, 2026 13:32
@Anilm3 Anilm3 enabled auto-merge (squash) March 16, 2026 13:36
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Mar 16, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.92%. Comparing base (18eae43) to head (5710ddf).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #489   +/-   ##
=======================================
  Coverage   84.92%   84.92%           
=======================================
  Files         190      190           
  Lines        9203     9203           
  Branches     4143     4143           
=======================================
  Hits         7816     7816           
  Misses        509      509           
  Partials      878      878
Flag Coverage Δ
waf_test 84.92% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 16, 2026

Dynamic Artifact Size Comparison 📦

Artifact Previous Release This PR Difference
darwin-arm64::libddwaf.dylib 2004032 2004032 0.00%
darwin-universal::libddwaf.dylib 4215872 4215872 0.00%
darwin-x86_64::libddwaf.dylib 2195712 2195712 0.00%
linux-aarch64::libddwaf.so 2378224 2378224 0.00%
linux-armv7::libddwaf.so 2046280 2046280 0.00%
linux-i386::libddwaf.so 2300828 2300828 0.00%
linux-x86_64::libddwaf.so 2571120 2571120 0.00%
windows-arm64::ddwaf.dll 6686208 6686208 0.00%
windows-win32::ddwaf.dll 3315712 3315712 0.00%
windows-x64::ddwaf.dll 4045824 4045824 0.00%

Static Artifact Size Comparison 📦

Artifact Previous Release This PR Difference
darwin-arm64::libddwaf.a 92215128 92215128 0.00%
darwin-arm64::libddwaf.a.stripped 4707464 4707464 0.00%
darwin-universal::libddwaf.a 185945888 185945888 0.00%
darwin-universal::libddwaf.a.stripped 10023864 10023864 0.00%
darwin-x86_64::libddwaf.a 93730712 93730712 0.00%
darwin-x86_64::libddwaf.a.stripped 5316352 5316352 0.00%
linux-aarch64::libddwaf.a 75161592 75161592 0.00%
linux-aarch64::libddwaf.a.stripped 12162860 12162860 0.00%
linux-armv7::libddwaf.a 66399138 66399138 0.00%
linux-armv7::libddwaf.a.stripped 11168358 11168358 0.00%
linux-i386::libddwaf.a 64591428 64591428 0.00%
linux-i386::libddwaf.a.stripped 9661240 9661240 0.00%
linux-x86_64::libddwaf.a 75652672 75652672 0.00%
linux-x86_64::libddwaf.a.stripped 11966124 11966124 0.00%
windows-arm64::ddwaf.lib 16410 16410 0.00%
windows-arm64::ddwaf_static.lib 134528158 134528158 0.00%
windows-win32::ddwaf.lib 16726 16726 0.00%
windows-win32::ddwaf_static.lib 47564214 47564556 0.00%
windows-x64::ddwaf.lib 16410 16410 0.00%
windows-x64::ddwaf_static.lib 55369970 55370188 0.00%

@Anilm3 Anilm3 merged commit e248d88 into master Mar 16, 2026
56 of 57 checks passed
@Anilm3 Anilm3 deleted the pin-github-actions-1773667943 branch March 16, 2026 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anilm3 Anilm3 Anilm3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juliendoutre @codecov-commenter @Anilm3