Skip to content

[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 15, 2025
Merged

[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security #80

merged 1 commit into from
Oct 15, 2025

Conversation

@chouetz
Copy link
Member

@chouetz chouetz commented Oct 13, 2025

🔒 Security Enhancement: GitHub Actions Pinning

📋 What This PR Does

This PR automatically pins GitHub Actions references from tag-based versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...) while preserving the original tag as a comment for readability.
No functional changes to your workflows - they'll work exactly the same way

🎯 Why This Matters

Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.

🤖 Keep Actions Updated with Dependabot

Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:

Create or update .github/dependabot.yml:

# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

This will:

  • 🔄 Check for action updates weekly
  • 📬 Create PRs automatically when newer versions are available
  • 🏷️ Update both the SHA hash and the comment with the new tag
  • 🎯 Keep your actions secure AND up-to-date

🤝 Questions or Concerns?

For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.

This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.

@chouetz chouetz requested a review from a team as a code owner October 13, 2025 07:15
@chouetz
Copy link
Member Author

chouetz commented Oct 15, 2025

/merge

@dd-devflow-routing-codex
Copy link

dd-devflow-routing-codex bot commented Oct 15, 2025
edited
Loading

View all feedbacks in Devflow UI.

2025-10-15 07:05:10 UTC ℹ️ Start processing command /merge

2025-10-15 07:05:15 UTC ℹ️ MergeQueue: pull request added to the queue

The expected merge time in master is approximately 0s (p90).

2025-10-15 09:05:28 UTCMergeQueue: The build pipeline has timeout

The merge request has been interrupted because the build 0 took longer than expected. The current limit for the base branch 'master' is 120 minutes.

@swang392 swang392 merged commit 6a92590 into master Oct 15, 2025
3 of 4 checks passed
@swang392 swang392 deleted the pin-github-actions-1760339718 branch October 15, 2025 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@swang392 swang392 swang392 approved these changes

Assignees

No one assigned

Labels

mergequeue-status: rejected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chouetz @swang392