Skip to content

Use commit SHA with version comments for all workflow action references #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 26, 2025
Merged

Use commit SHA with version comments for all workflow action references #239

merged 2 commits into from
Nov 26, 2025

Conversation

Copy link
Contributor

Copilot AI commented Nov 26, 2025
edited
Loading

Standardize all GitHub Actions workflow references to use commit SHAs with version comments instead of mutable tags, ensuring deterministic builds and supply chain security.

Changes

  • GitHub Actions: Updated actions/checkout, actions/download-artifact, actions/upload-artifact, actions/upload-pages-artifact, actions/configure-pages, actions/deploy-pages to SHA references
  • PSModule Actions: Updated all PSModule actions (Auto-Release, Document-PSModule, GitHub-Script, Build-PSModule, Install-PSModuleHelpers, Get-PesterCodeCoverage, Get-PesterTestResults, Invoke-ScriptAnalyzer, Test-PSModule, Invoke-Pester, Publish-PSModule) to SHA references
  • 13 workflow files updated in .github/workflows/

Format

# Before
uses: actions/checkout@v6

# After  
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

Dependabot supports SHA references for automated update PRs.

Original prompt

This section details on the original issue you should resolve

<issue_title>🩹 [Patch]: Use commit SHA with specific version comments for all workflow action references</issue_title>
<issue_description>### Describe the change

Standardize all GitHub Actions workflow references in this repository so that every action uses a commit SHA, with a comment specifying the most specific version tag (e.g., # v1.2.3).

Why:

  • Ensures deterministic builds and protects against unexpected updates or supply chain attacks.
  • Improves maintainability and readability by documenting the exact version in use.

Examples:
✅ Correct:

  - name: Checkout Code
    uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v1.2.3
    with:
      persist-credentials: false

❌ Incorrect:

  - name: Checkout Code
    uses: actions/checkout@v1

Scope of change:

  • Update all workflow files in .github/workflows/*. yml to reference actions by SHA with a version comment, instead of by tag.
  • Use the most specific version tag in comments (e.g., v1.2.3 instead of v1).
  • Affected actions may include but are not limited to: actions/checkout, actions/download-artifact, actions/upload-artifact, actions/configure-pages, actions/deploy-pages, custom PSModule actions, etc.
  • Ensure CI and linting checks do not break.
  • Document changes in affected files.

Security Note:
Dependabot is configured to notify and create PRs when upstream actions/workflows update. Dependabot supports SHA references, so using them does not reduce security or update capabilities.

Acceptance:

  • All workflows use commit SHA with a version comment specifying the most specific tag
  • No workflows reference actions by tag (e.g., @v1)
  • All CI/CD checks pass
  • Documentation is updated as needed</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@MariusStorhaug
Update all workflow action references to use commit SHA with version …
491a8e4 
…comments

Co-authored-by: MariusStorhaug <17722253+MariusStorhaug@users.noreply.github.com>
@MariusStorhaug MariusStorhaug marked this pull request as ready for review November 26, 2025 19:55
@MariusStorhaug MariusStorhaug requested a review from a team as a code owner November 26, 2025 19:55
Copilot AI review requested due to automatic review settings November 26, 2025 19:55
Copilot AI changed the title [WIP] Standardize GitHub Actions to use commit SHA with version comments Use commit SHA with version comments for all workflow action references Nov 26, 2025
Copilot finished reviewing on behalf of MariusStorhaug November 26, 2025 19:56
Copilot AI requested a review from MariusStorhaug November 26, 2025 19:56
Copilot finished work on behalf of MariusStorhaug November 26, 2025 19:56
Copilot AI reviewed Nov 26, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR standardizes all GitHub Actions workflow references to use commit SHAs with specific version comments, improving security and build reproducibility. The changes replace tag-based references (e.g., @v6) with SHA-based references that include version comments (e.g., @1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0).

Key Changes:

  • All 13 workflow files updated to use SHA-based action references
  • Version comments now specify exact semantic versions (e.g., v6.0.0, v1.7.4) instead of major versions only
  • Consistent format applied across all actions from both GitHub (actions/*) and PSModule namespaces

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/Auto-Release.yml Updated actions/checkout and PSModule/Auto-Release to use SHA with specific versions (v6.0.0, v1.9.5)
.github/workflows/Build-Docs.yml Updated actions/checkout, actions/download-artifact, actions/upload-artifact, PSModule/Document-PSModule, and PSModule/GitHub-Script to SHA references with versions
.github/workflows/Build-Module.yml Updated actions/checkout and PSModule/Build-PSModule to SHA references (v6.0.0, v4.0.9)
.github/workflows/Build-Site.yml Updated actions/checkout, actions/download-artifact, actions/upload-pages-artifact, PSModule/Install-PSModuleHelpers, and PSModule/GitHub-Script to SHA references
.github/workflows/Get-CodeCoverage.yml Updated PSModule/Get-PesterCodeCoverage to SHA reference (v1.0.3)
.github/workflows/Get-Settings.yml Updated actions/checkout and PSModule/GitHub-Script to SHA references (v6.0.0, v1.7.4)
.github/workflows/Get-TestResults.yml Updated PSModule/Get-PesterTestResults to SHA reference (v1.0.7)
.github/workflows/Lint-SourceCode.yml Updated actions/checkout and PSModule/Invoke-ScriptAnalyzer to SHA references (v6.0.0, v4.1.1)
.github/workflows/Linter.yml Updated actions/checkout to SHA reference (v6.0.0)
.github/workflows/Test-Module.yml Updated actions/checkout, actions/download-artifact, PSModule/Test-PSModule, and PSModule/Invoke-ScriptAnalyzer to SHA references
.github/workflows/Test-ModuleLocal.yml Updated actions/checkout, actions/download-artifact, PSModule/Install-PSModuleHelpers, and PSModule/Invoke-Pester to SHA references
.github/workflows/Test-SourceCode.yml Updated actions/checkout and PSModule/Test-PSModule to SHA references (v6.0.0, v3.0.6)
.github/workflows/workflow.yml Updated multiple actions including actions/checkout, actions/download-artifact, actions/configure-pages, actions/deploy-pages, PSModule/GitHub-Script, and PSModule/Publish-PSModule to SHA references

@MariusStorhaug MariusStorhaug merged commit c7983ef into main Nov 26, 2025
71 of 73 checks passed
@MariusStorhaug MariusStorhaug deleted the copilot/standardize-github-actions-versions branch November 26, 2025 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MariusStorhaug MariusStorhaug Awaiting requested review from MariusStorhaug

Assignees

@MariusStorhaug MariusStorhaug

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

🩹 [Patch]: Use commit SHA with specific version comments for all workflow action references

2 participants

@MariusStorhaug