Skip to content

ci: pin third-party Actions to commit SHAs#131

Merged
Connorrmcd6 merged 1 commit into
Connorrmcd6:mainfrom
laurigates:upstream-pr/ci-pin-actions
Jun 15, 2026
Merged

ci: pin third-party Actions to commit SHAs#131
Connorrmcd6 merged 1 commit into
Connorrmcd6:mainfrom
laurigates:upstream-pr/ci-pin-actions

Conversation

@laurigates

@laurigates laurigates commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Severity: MEDIUM — release-pipeline supply chain

Every third-party Action was referenced by a mutable major tag (@v6, @v3, @v4,
@v2). A tag can be re-pointed by its owner — or by anyone who compromises that account —
to arbitrary code. That code runs in jobs that hold:

  • contents: write (release.yml build → uploads release assets via action-gh-release)
  • id-token: write (release.yml npm-publish → npm provenance OIDC)
  • a cross-repo PAT (notify-siterepository-dispatch)

so a swapped Action could tamper with the published binaries install.sh consumes, mint
provenance, or exfiltrate the dispatch token.

Change

Pin each Action to a full-length commit SHA with a trailing version comment — the format
Dependabot and Renovate parse and keep updated:

Action SHA tag
actions/checkout df4cb1c069e1874edd31b4311f1884172cec0e10 v6
actions/setup-node 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e v6
softprops/action-gh-release b4309332981a82ec1c5618f44dd2e27cc8bfbfda v3
peter-evans/repository-dispatch 28959ce8df70de7be546dd1250a005dd32156697 v4
rustsec/audit-check 69366f33c96575abad1ee0dba8212993eecbe998 v2.0.0

SHAs resolved via git ls-remote against each upstream repo. dependabot.yml already
tracks the github-actions ecosystem, so the pins stay maintained.

Note: adding actions/attest-build-provenance for the release tarballs is a sensible
follow-up, left out here to keep this PR single-purpose.

🤖 Generated with Claude Code

Pin every third-party Action to a full-length commit SHA with a version
comment (Dependabot/Renovate keep these current). A mutable tag like
@v6 lets the tag owner — or anyone who compromises their account — swap
the code an Action runs, and these run in jobs holding contents: write
(release upload) and id-token: write (npm provenance). SHAs make the
supply chain reproducible and reviewable.

  actions/checkout@v6                  -> df4cb1c... # v6
  actions/setup-node@v6                -> 48b55a0... # v6
  softprops/action-gh-release@v3       -> b430933... # v3
  peter-evans/repository-dispatch@v4   -> 28959ce... # v4
  rustsec/audit-check@v2               -> 69366f3... # v2.0.0

dependabot.yml already tracks the github-actions ecosystem, so these pins
stay maintained.

https://claude.ai/code/session_01T3Z35bgg6cvWzBDfyh6pQ8
(cherry picked from commit ae343f8)
@Connorrmcd6 Connorrmcd6 merged commit 861c9ee into Connorrmcd6:main Jun 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants