Skip to content

chore(ci): pin all GitHub Actions to commit SHAs#133

Merged
JohnRDOrazio merged 1 commit into
devfrom
chore/pin-action-shas
Apr 28, 2026
Merged

chore(ci): pin all GitHub Actions to commit SHAs#133
JohnRDOrazio merged 1 commit into
devfrom
chore/pin-action-shas

Conversation

@JohnRDOrazio

Copy link
Copy Markdown
Member

Summary

Supply-chain hardening: every third-party action is now pinned to a specific commit SHA so that a compromised tag (e.g., force-pushed by an attacker with write access to the action's repo) cannot silently substitute malicious code into our CI runners.

Pattern used:
```yaml
uses: actions/checkout@de0fac2 # v6
```
The trailing comment preserves the human-readable version and is the format Dependabot recognizes for tracking.

Actions pinned

Action Pinned to
actions/checkout v6
actions/upload-artifact v7
actions/download-artifact v8
astral-sh/setup-uv v7
codecov/codecov-action v6
codecov/test-results-action v1
dependabot/fetch-metadata v3
docker/setup-buildx-action v4
docker/login-action v4
docker/metadata-action v6
docker/build-push-action v7
ncipollo/release-action v1

Drive-by version bump

`semgrep.yml` was using `actions/checkout@v4` — bumped to v6 to match every other workflow in this repo, then pinned.

Mirrors the matching change shipping on ontokit-web in PR #196.

Test plan

  • All CI checks (Semgrep, lint, test, build) still pass on this PR

🤖 Generated with Claude Code

Supply-chain hardening — pin every third-party action to a specific
commit SHA so that a compromised tag (force-pushed by an attacker who
gains repo write to the action) can't silently substitute malicious
code into our CI runners.

Each pin keeps the previous version as a comment so humans (and
Dependabot, when configured) can still see what version is in use and
update purposefully:

    uses: actions/checkout@de0fac2... # v6

Files changed:
- .github/workflows/release.yml — checkout, setup-uv (x3), codecov-action,
  test-results-action, upload-artifact, download-artifact (x2),
  ncipollo/release-action, docker/{setup-buildx,login,metadata,build-push}-action
- .github/workflows/semgrep.yml — checkout (also bumped from v4 → v6
  to align with every other workflow in this repo, then pinned)
- .github/workflows/dependabot-auto-merge.yml — fetch-metadata

Mirrors the matching change shipping on ontokit-web in PR #196.
@JohnRDOrazio JohnRDOrazio added github-actions Pull requests that update GitHub Actions code security Security vulnerabilities or hardening labels Apr 28, 2026
@coderabbitai

coderabbitai Bot commented Apr 28, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@JohnRDOrazio has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 30 minutes and 4 seconds before requesting another review.

To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 737e82d2-53a9-47f5-a8dd-d61308597b97

📥 Commits

Reviewing files that changed from the base of the PR and between fd1e0bd and 706ee30.

📒 Files selected for processing (3)
  • .github/workflows/dependabot-auto-merge.yml
  • .github/workflows/release.yml
  • .github/workflows/semgrep.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pin-action-shas

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented Apr 28, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@JohnRDOrazio
JohnRDOrazio merged commit ff94da4 into dev Apr 28, 2026
13 checks passed
@JohnRDOrazio
JohnRDOrazio deleted the chore/pin-action-shas branch April 28, 2026 00:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

github-actions Pull requests that update GitHub Actions code security Security vulnerabilities or hardening

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant