Skip to content

ci: pin GitHub Actions to commit SHAs for security #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 24, 2025
Merged

ci: pin GitHub Actions to commit SHAs for security #124

merged 1 commit into from
Oct 24, 2025

Conversation

@dacoburn
Copy link
Collaborator

@dacoburn dacoburn commented Oct 24, 2025

Root Cause

We implemented a requirement for Github Actions to pinned to commit hashes

Fix

Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility:

  • actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
  • actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3
  • pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d
  • actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea
  • docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
  • docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349
  • docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567
  • docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75

This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags.

Public Changelog

N/A

@dacoburn
ci: pin GitHub Actions to commit SHAs for security
e442bef 
Pin all GitHub Actions references to specific commit SHAs instead of version tags to improve security and reproducibility:
- actions/checkout@v4 → eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- actions/setup-python@v5 → f677139bbe7f9c59b41e40162b753c062f5d49a3
- pypa/gh-action-pypi-publish@v1.12.4 → ab69e431e9c9f48a3310be0a56527c679f56e04d
- actions/github-script@v7 → 60a0d83039c74a4aee543508d2ffcb1c3799cdea
- docker/setup-qemu-action@v3 → 49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
- docker/setup-buildx-action@v3 → c47758b77c9736f4b2ef4073d4d51994fabfe349
- docker/login-action@v3 → 9780b0c442fbb1117ed29e0efdff1e18412f7567
- docker/build-push-action@v5 → 4f58ea79222b3b9dc2c8bbdd6debcef730109a75

This follows GitHub security best practices by ensuring exact versions are used and preventing potential supply chain attacks from compromised tags.
@dacoburn dacoburn requested a review from a team as a code owner October 24, 2025 01:29
@dacoburn dacoburn requested review from alxhotel and jfblaa and removed request for a team October 24, 2025 01:29
@socket-security-staging
Copy link

socket-security-staging bot commented Oct 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​checkout@​eef61447b9ff4aafe5dcd4e0bbf5d482be7e787173100100100100
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39210010010080
Addedgithub/​docker/​login-action@​9780b0c442fbb1117ed29e0efdff1e18412f756799100100100100
Addedgithub/​docker/​setup-buildx-action@​c47758b77c9736f4b2ef4073d4d51994fabfe34999100100100100
Addedgithub/​docker/​build-push-action@​4f58ea79222b3b9dc2c8bbdd6debcef730109a7599100100100100
Addedgithub/​docker/​setup-qemu-action@​49b3bc8e6bdd4a60e6116a5414239cba5943d3cf99100100100100
Updatedgithub/​actions/​github-script@​f28e40c7f34bde8b3046d885e986cb6290c5673b ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ ab69e431e9c9f48a3310be0a56527c679f56e04d100 +71100100100100

View full report

@socket-security
Copy link

socket-security bot commented Oct 24, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​checkout@​eef61447b9ff4aafe5dcd4e0bbf5d482be7e787173100100100100
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39210010010080
Addedgithub/​docker/​login-action@​9780b0c442fbb1117ed29e0efdff1e18412f756799100100100100
Addedgithub/​docker/​setup-buildx-action@​c47758b77c9736f4b2ef4073d4d51994fabfe34999100100100100
Addedgithub/​docker/​build-push-action@​4f58ea79222b3b9dc2c8bbdd6debcef730109a7599100100100100
Addedgithub/​docker/​setup-qemu-action@​49b3bc8e6bdd4a60e6116a5414239cba5943d3cf99100100100100
Updatedgithub/​actions/​github-script@​f28e40c7f34bde8b3046d885e986cb6290c5673b ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100 +1100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ ab69e431e9c9f48a3310be0a56527c679f56e04d100 +71100100100100

View full report

@github-actions
Copy link

github-actions bot commented Oct 24, 2025

🚀 Preview package published!

Install with:

pip install --index-url https://test.pypi.org/simple/ --extra-index-url https://pypi.org/simple socketsecurity==2.2.12.dev1

Docker image: socketdev/cli:pr-124

@dacoburn dacoburn merged commit ee8b836 into main Oct 24, 2025
6 checks passed
@dacoburn dacoburn deleted the doug/pin-github-actions branch October 24, 2025 01:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tmpvar tmpvar tmpvar approved these changes

@alxhotel alxhotel Awaiting requested review from alxhotel alxhotel is a code owner automatically assigned from SocketDev/eng

@jfblaa jfblaa Awaiting requested review from jfblaa jfblaa is a code owner automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dacoburn @tmpvar