Skip to content

feat(ENG-11298): Pinning GitHub actions#68

Merged
elgordomac merged 1 commit intomainfrom
eng-11298/pinning-github-actions
Dec 5, 2025
Merged

feat(ENG-11298): Pinning GitHub actions#68
elgordomac merged 1 commit intomainfrom
eng-11298/pinning-github-actions

Conversation

@elgordomac
Copy link
Copy Markdown
Contributor

@elgordomac elgordomac commented Dec 3, 2025
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Pinned GitHub Actions to exact versions across CI workflows to improve security and reproducibility. Addresses ENG-11298 by enforcing version pinning in our pipelines.

  • Dependencies
    • actions/checkout pinned to v4.3.1
    • actions/setup-node pinned to v4.4.0
    • googleapis/release-please-action pinned to v4.4.0
    • amannn/action-semantic-pull-request pinned to v5

Written for commit 433ef60. Summary will update automatically on new commits.

Copilot AI review requested due to automatic review settings December 3, 2025 14:16
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by pinning GitHub Actions to specific commit hashes instead of mutable version tags. This prevents potential supply chain attacks where action tags could be moved to malicious commits.

Key Changes:

  • Replaced version tag references with commit SHA hashes across all workflow files
  • Added inline comments to document the semantic versions corresponding to each commit hash
  • Applied consistent pinning pattern to actions from multiple sources (amannn, googleapis, actions)

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/semantic-pull-request.yml Pinned amannn/action-semantic-pull-request to commit hash for v5
.github/workflows/release-please.yml Pinned googleapis/release-please-action, actions/checkout, and actions/setup-node to specific commit hashes with version comments
.github/workflows/node-ci.yml Pinned actions/checkout and actions/setup-node to the same commit hashes as in release-please workflow

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/semantic-pull-request.yml
runs-on: ubuntu-latest
steps:
- uses: amannn/action-semantic-pull-request@v5
- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
Copy link

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The version comment for this action uses only the major version # v5, while other actions in this PR use more specific version tags (e.g., # v4.3.1, # v4.4.0). For consistency and better documentation, consider using a more specific version tag in the comment (e.g., # v5.0.0 or the specific v5.x.y version that this commit hash corresponds to).

Suggested change
- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5
- uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5.0.0

Copilot uses AI. Check for mistakes.
@elgordomac elgordomac changed the title Pinning GitHub actions feat(ENG-11298): Pinning GitHub actions Dec 3, 2025
ryoppippi
ryoppippi approved these changes Dec 3, 2025
View reviewed changes
Copy link
Copy Markdown

@ryoppippi ryoppippi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@elgordomac elgordomac merged commit 49ef741 into main Dec 5, 2025
8 of 10 checks passed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@ryoppippi ryoppippi ryoppippi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elgordomac @ryoppippi