chore: pin GitHub Actions to SHAs; switch mise install snippet to github backend#10
Merged
Merged
Conversation
- All `uses:` lines in ci.yml, cla.yml, release.yml now reference an immutable commit SHA with a trailing `# vX.Y.Z` comment. Tags can be force-pushed by upstream maintainers (or an attacker who compromises them); SHAs cannot. Dependabot understands this pattern and will open bump PRs as new versions ship. - README install snippet and the GoReleaser release-notes footer now recommend `mise use github:Staffbase/gq@<tag>`. mise's `ubi:` backend prints a deprecation warning since the `github:` backend supersedes it; both download from the same release assets. - README install no longer mentions Homebrew. There is no public tap, and recommending one in a public OSS README would be misleading. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the repo’s GitHub Actions supply-chain security by SHA-pinning all uses: references, and updates end-user installation guidance to use mise’s supported github: backend (plus removes a misleading Homebrew instruction).
Changes:
- Pinned all GitHub Actions
uses:references in CI/CLA/release workflows to full commit SHAs with version annotations. - Updated installation snippets in
README.mdand GoReleaser release notes fromubi:togithub:formise. - Removed the README’s Homebrew tap install line that doesn’t apply to OSS readers.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Replaces install instructions with mise (github backend) and Go install, and adds a releases-page fallback. |
| .goreleaser.yml | Updates the release notes footer install snippet to use mise github: backend. |
| .github/workflows/release.yml | Pins checkout/setup-go/goreleaser actions to SHAs for the release workflow. |
| .github/workflows/cla.yml | Pins CLA Assistant action to a full SHA. |
| .github/workflows/ci.yml | Pins checkout/setup-go/golangci-lint actions to SHAs for CI jobs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Per Micha's review: while we're SHA-pinning, also bump release.yml to current majors (matches ci.yml's pinning). - actions/checkout v4.3.1 → v6.0.2 - actions/setup-go v5.6.0 → v6.4.0 - goreleaser-action v6.4.0 → v7.2.2 goreleaser-action v7's only breaking change is internal Node 24 / ESM migration; how we invoke it (`distribution`, `version`, `args`) is unchanged. Co-Authored-By: Claude Opus 4.7
Copilot Autofix added the global flag to README (`--global`) and goreleaser footer (`-g`) in separate commits. Normalize on the long form for consistency with the README and clarity in docs. Co-Authored-By: Claude Opus 4.7
monotek
approved these changes
May 22, 2026
monotek
approved these changes
May 22, 2026
Member
monotek
left a comment
monotek
left a comment
There was a problem hiding this comment.
LGTM. I think the Copiliot suggestion should be merged too...
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Comment on lines
+49
to
+51
| - uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | ||
| with: | ||
| version: latest | ||
| version: v1.64.8 |
golangci-lint-action >= v7 explicitly rejects v1.x with "invalid version string 'v1.64.8', golangci-lint v1 is not supported by golangci-lint-action >= v7" — CI was failing for that reason. v2.12.2 is the current stable golangci-lint release (2026-05-06) and is compatible with the Go toolchain declared in go.mod. Also bumps the action SHA to v9.2.1 (patch release, 2026-05-22) since we're in the area. Co-Authored-By: Claude Opus 4.7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What did you do?
uses:line acrossci.yml,cla.yml, andrelease.yml. Each reference is now<owner>/<action>@<full-commit-sha> # vX.Y.Z.README.mdinstall snippet to usemise use github:Staffbase/gq@latest(theubi:backend is deprecated in currentmise).github:instead ofubi:).brew install staffbase/tap/gqline from the README — there is no public Homebrew tap, and recommending one in a public OSS README would mislead external readers.Why did you do it?
@v6are mutable. If an upstream maintainer's account is compromised, an attacker can force-pushv6to a malicious commit and every workflow on the planet using@v6silently executes it next run. There is a real-world precedent (tj-actions/changed-files, March 2025). A full commit SHA is content-addressable and immune to this. Dependabot understands the@<sha> # vX.Y.Zpattern and will continue to open bump PRs.ubi:→github:: mise warns onubi:Staffbase/gq@...that the backend is deprecated and will be removed in mise 2027.1.0. Thegithub:backend is the supported successor and downloads from the same release assets.Checklist
🤖 Generated with Claude Code.