INFRA-953: pin actions/checkout to SHA v6.0.2#289
Merged
Conversation
Replace all uses: actions/checkout@<tag|sha> with the SHA-pinned reference for v6.0.2: actions/checkout@de0fac2 # v6.0.2 Supply-chain hardening — pinning to exact SHA prevents tag mutation. Part of INFRA-232 Node 24 migration and governance work.
Kolodziejczykmaciek
approved these changes
Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requestor/Issue: @lgd-michallasisz / INFRA-232 / INFRA-953
Risk: Low
Tested: yes, on DevOPS owned repositories. Repository owner should test on their repo
Description: |
GitHub Actions using Node.js older than Node 24 will be deprecated
This repository was flagged in our audit:
actions/checkoutis referenced without SHA pinning and/or does not use the current stable Node 24 runtime (v6.0.2).While reviewing old-node actions and not-SHA-pinned actions across repositories(Deprecation of Node 20 in Github Actions, we noticed that
actions/checkoutaccounts for a significant share of outstanding items. Since v6.0.2 ships with a Node 24 runtime and pinning to SHA is a self-contained, low-risk change, we treated this as a safe low-hanging fruit and raised this PR on your behalf.Tag-based references (
@v4,@v6) are mutable — a tag can be silently moved to a different commit. SHA pinning guarantees every workflow run uses the exact, audited release and prevents supply-chain attacks via tag mutation.Please review, approve, and test before merging.
What is being changed
All
.github/workflow files and composite actions updated:References
🤖 Co-authored-by: Claude Code