Pin GitHub Actions to full commit SHAs

[Copilot]

Mutable version tags (@v3, @v5, @v7) are vulnerable to tag takeover — a compromised upstream account can silently redirect a tag to malicious code. Pinning to immutable commit SHAs eliminates this vector and ensures reproducible builds.

Changes

• .github/workflows/nodejs.yml
  • actions/checkout@v3 → @f43a0e5... (v3.6.0)
  • actions/setup-node@v3 → @5e21ff4... (v3.8.1)
• .github/workflows/labeler.yml
  • actions/labeler@v5 → @8558fd7... (v5.0.0)
• .github/workflows/issue-labeler.yml
  • actions/github-script@v7 → @f28e40c... (v7.1.0)

Each SHA is annotated with a version comment for readability:

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>⚠️ Potential issue | 🟠 Major</issue_title>
<issue_description>⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# First, check if the file exists and read its content
if [ -f ".github/workflows/codeql.yml" ]; then
  echo "=== File content with line numbers ==="
  cat -n ".github/workflows/codeql.yml"
else
  echo "File not found"
  exit 1
fi

Repository: BeyteFlow/errlens

Length of output: 1181

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Run the verification script from the review comment to find unpinned actions
echo "=== Checking for unpinned actions ==="
rg -nP '^\s*uses:\s*[^@\s]+@(?!(?:[a-f0-9]{40})\b)' .github/workflows/*.yml || echo "No unpinned actions found"

Repository: BeyteFlow/errlens

Length of output: 465

---

🌐 Web query:

GitHub Actions security best practices SHA pinning supply chain security

💡 Result:

GitHub Actions supply-chain security best practices (with SHA pinning)

1) Pin every third‑party action to a full commit SHA

• Use an immutable reference in uses:—a full-length commit SHA is the most reliable way to avoid a tag/branch later being moved to malicious code. Add a comment with the human version for readability (and to help Dependabot updates). [1]
• Example:

  - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

  [1]

2) Prefer SHAs that correspond to a tagged release you trust

• Choose SHAs from the action’s official repo (not a fork) and ideally those that correspond to a released version so updates are trackable. [1]

3) Watch out for “unpinnable” behavior (mutable dependencies)

• SHA pinning helps, but an action can still be effectively mutable if it pulls in unpinned content at runtime (e.g., downloads scripts, uses floating container image tags, etc.). Review action source and avoid actions with mutable dependencies. [1]
• Security research highlights how “unpinnable actions” can still enable supply-chain attacks despite SHA pinning if the action fetches changing code/assets. [2]

4) Enforce SHA pinning (org/enterprise policy)

• GitHub Actions policies can require SHA-pinned actions (workflows fail if an action isn’t pinned) and can also block specific actions/versions to respond quickly to known-bad dependencies. [3]

5) Minimize token permissions (least privilege)

• Set explicit permissions: for GITHUB_TOKEN at workflow/job level, granting only what’s required. [4]

6) Prefer short‑lived cloud credentials via OIDC (avoid long‑lived secrets)

• Use GitHub Actions OpenID Connect to get short-lived tokens from your cloud provider instead of storing long-lived cloud secrets in GitHub. [5]

7) Prevent workflow/script injection

• Don’t place untrusted input (issue titles, PR body text, branch names, etc.) directly into executable contexts (run: scripts, unsafe expression usage). This is called out as a key hardening item. [1]

Sources: GitHub Well‑Architected Actions security guidance [1], GitHub Docs on GITHUB_TOKEN permissions [4] and OIDC hardening [5], GitHub Changelog on SHA pinning enforcement and blocking [3], and security research on “unpinnable actions” [2].

---

Pin all GitHub Actions to full commit SHAs.

Lines 27, 30, 35, and 38 use mutable version tags (@v4, @v3). Pinning to 40-character commit SHAs prevents tag takeover attacks and ensures reproducible, verifiable builds.

🔒 Suggested hardening diff

-      - name: Checkout repository
-        uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4

-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@5f532563584d7bc9eab1fc0b6aa718b9134fb42a # v3

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

      - name: ...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes BeyteFlow/errlens#10

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.](https://gh.io/cca-advanced-security)