Skip to content

SHA pin first-party GitHub Actions#243

Merged
williammartin merged 1 commit into
trunkfrom
wm-sha-pin
May 22, 2026
Merged

SHA pin first-party GitHub Actions#243
williammartin merged 1 commit into
trunkfrom
wm-sha-pin

Conversation

@williammartin
Copy link
Copy Markdown
Member

@williammartin williammartin commented May 22, 2026

Part of the org-wide rollout following cli/cli#13491. See cli/cli#13490 for full rationale.

What

Replaces every actions/* and github/* uses: reference in .github/workflows/*.yml with the equivalent commit SHA, preserving the human-readable version in a trailing comment. Matches the convention already used for third-party action pins.

Unique pins introduced:

Action Pinned to
actions/checkout de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
actions/setup-go 4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
github/codeql-action/init 7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
github/codeql-action/analyze 7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

Why

With the 3-day dependabot cooldown configured for github-actions, version-tag references give no real benefit (dependabot still opens PRs on patch releases) while leaving us exposed to tag-mutation supply chain attacks on first-party namespaces. SHA pinning is the more consistent and defensible posture.

Verification

  • All workflow YAML still parses.
  • No first-party @vN refs remain (grep -E 'uses: (actions|github)/[^@]+@v[0-9]' .github/workflows/*.yml returns empty).
  • Dependabot natively parses <sha> # vX.Y.Z pins and will bump both the SHA and the comment on the next patch release.

Opened as a draft for review; mark ready when checks pass.

@williammartin
SHA pin first-party GitHub Actions
f104d44 
Pins every actions/* and github/* uses: reference in
.github/workflows to its commit SHA, with the human-readable
version preserved in a trailing comment, matching the convention
already used for third-party actions. Removes the supply-chain
exposure left by floating @vn tags now that dependabot has a
3-day cooldown configured.

Follows cli/cli#13491 (cli/cli) and
cli/cli#13490.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@williammartin williammartin marked this pull request as ready for review May 22, 2026 16:18
@williammartin williammartin requested a review from a team as a code owner May 22, 2026 16:18
@williammartin williammartin requested review from BagToad and removed request for a team May 22, 2026 16:18
BagToad
BagToad approved these changes May 22, 2026
edited
Loading
View reviewed changes
@williammartin williammartin merged commit edf1150 into trunk May 22, 2026
11 checks passed
@williammartin williammartin deleted the wm-sha-pin branch May 22, 2026 16:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BagToad BagToad BagToad approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@williammartin @BagToad