Skip to content

Pin actions to commit SHAs in shared-build-and-test and vulnerability_scan#212

Merged
BehnamMozafari merged 1 commit intomainfrom
bmz-pin-shared-build-and-test-to-commit-sha
Apr 14, 2026
Merged

Pin actions to commit SHAs in shared-build-and-test and vulnerability_scan#212
BehnamMozafari merged 1 commit intomainfrom
bmz-pin-shared-build-and-test-to-commit-sha

Conversation

@BehnamMozafari
Copy link
Copy Markdown
Contributor

@BehnamMozafari BehnamMozafari commented Apr 14, 2026

Summary

  • Pins all GitHub Actions in shared-build-and-test.yaml and its transitive dependency actions/vulnerability_scan/action.yaml to full-length commit SHAs
  • Fixes: The actions actions/checkout@v4, actions/setup-java@v4, actions/upload-artifact@v4, and iabtechlab/uid2-shared-actions/actions/vulnerability_scan@v3 are not allowed in UnifiedID2/uid2-okta-configuration because all actions must be pinned to a full-length commit SHA
  • Version comments (e.g. # v4) preserved next to each SHA for maintainability

Actions pinned

Action Version SHA
actions/checkout v4 34e11487
actions/setup-java v4 c1e32368
actions/upload-artifact v4 ea165f8d
actions/cache v4 0057852b
actions/cache/save v4 0057852b
oras-project/setup-oras v1 22ce207d
github/codeql-action/upload-sarif v3 5c8a8a64
IABTechLab/uid2-shared-actions/vulnerability_scan v3 aa84a60f

Note: The self-reference to uid2-shared-actions@v3 is pinned to the current v3 tag SHA. After this PR merges and the v3 tag is updated, the self-reference SHA should be updated to the new v3 commit.

Test plan

  • Verify the workflow runs successfully in a caller repo (e.g. uid2-okta-configuration)
  • Confirm no SHA pinning errors from GitHub Actions

🤖 Generated with Claude Code

@BehnamMozafari @claude
Pin all actions to full-length commit SHAs in shared-build-and-test a…
059cfbd 
…nd vulnerability_scan

Fixes SHA pinning requirement for repos like UnifiedID2/uid2-okta-configuration
that enforce all actions must be pinned to a full-length commit SHA.

Actions pinned:
- actions/checkout@v4 -> 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-java@v4 -> c1e323688fd81a25caa38c78aa6df2d33d3e20d9
- actions/upload-artifact@v4 -> ea165f8d65b6e75b540449e92b4886f43607fa02
- actions/cache@v4 -> 0057852bfaa89a56745cba8c7296529d2fc39830
- oras-project/setup-oras@v1 -> 22ce207df3b08e061f537244349aac6ae1d214f6
- github/codeql-action/upload-sarif@v3 -> 5c8a8a642e79153f5d047b10ec1cba1d1cc65699
- IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v3 -> aa84a60

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari self-assigned this Apr 14, 2026
@BehnamMozafari BehnamMozafari merged commit 83defcc into main Apr 14, 2026
3 checks passed
@BehnamMozafari BehnamMozafari mentioned this pull request Apr 14, 2026
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jon8787 jon8787 jon8787 approved these changes

Assignees

@BehnamMozafari BehnamMozafari

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BehnamMozafari @jon8787