Skip to content

CI: pin third-party GitHub Actions to specific commit SHAs for security#5143

Merged
jedel1043 merged 2 commits intoboa-dev:mainfrom
RishavTiwari25:ci/pin-github-actions
Mar 19, 2026
Merged

CI: pin third-party GitHub Actions to specific commit SHAs for security#5143
jedel1043 merged 2 commits intoboa-dev:mainfrom
RishavTiwari25:ci/pin-github-actions

Conversation

@RishavTiwari25
Copy link
Contributor

@RishavTiwari25 RishavTiwari25 commented Mar 18, 2026

This Pull Request fixes/closes #5142 .

It changes the following:

  • Refactors all .github/workflows/*.yml files to use explicit, immutable 40-character commit SHAs instead of mutable tags (like @v6 or @stable) for third-party GitHub actions.
  • Hardens the CI/CD pipeline against supply-chain and tag-hijacking attacks, complying with OpenSSF and GitHub advanced security best practices.
  • Retains the original action version tags inline as # comments so developers can still easily read and identify action versions at a glance.
  • Relies on the repository's existing dependabot.yml configuration to automatically keep these pinned SHAs updated going forward securely.

@RishavTiwari25 RishavTiwari25 requested a review from a team as a code owner March 18, 2026 22:47
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers C-Tests Issues and PRs related to the tests. C-Builtins PRs and Issues related to builtins/intrinsics C-Actions Pull requests that update Github Actions code and removed Waiting On Review Waiting on reviews from the maintainers labels Mar 18, 2026
@github-actions github-actions bot added this to the v1.0.0 milestone Mar 18, 2026
@github-actions
Copy link

github-actions bot commented Mar 18, 2026
edited
Loading

Test262 conformance changes

Test result main count PR count difference
Total 52,963 52,963 0
Passed 50,073 50,073 0
Ignored 2,072 2,072 0
Failed 818 818 0
Panics 0 0 0
Conformance 94.54% 94.54% 0.00%

Tested main commit: 50f0103d9188d33862efbc38397a81e497973632
Tested PR commit: ed75a518ecaf689eef2bdc27f1de2e6622376830
Compare commits: 50f0103...ed75a51

@jedel1043 jedel1043 added A-Meta Issues and PRs related to the repository itself and removed C-Tests Issues and PRs related to the tests. C-Builtins PRs and Issues related to builtins/intrinsics labels Mar 18, 2026
@github-actions github-actions bot added Waiting On Review Waiting on reviews from the maintainers C-Tests Issues and PRs related to the tests. C-Builtins PRs and Issues related to builtins/intrinsics labels Mar 18, 2026
@codecov
Copy link

codecov bot commented Mar 18, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.43%. Comparing base (6ddc2b4) to head (ed75a51).
⚠️ Report is 890 commits behind head on main.

Additional details and impacted files 
@@             Coverage Diff             @@
##             main    #5143       +/-   ##
===========================================
+ Coverage   47.24%   59.43%   +12.19%     
===========================================
  Files         476      580      +104     
  Lines       46892    63181    +16289     
===========================================
+ Hits        22154    37554    +15400     
- Misses      24738    25627      +889

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jedel1043 jedel1043 added this pull request to the merge queue Mar 18, 2026
Merged via the queue into boa-dev:main with commit 055ee09 Mar 19, 2026
22 checks passed
@github-actions github-actions bot removed the Waiting On Review Waiting on reviews from the maintainers label Mar 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jedel1043 jedel1043 jedel1043 approved these changes

Assignees

No one assigned

Labels

A-Meta Issues and PRs related to the repository itself C-Actions Pull requests that update Github Actions code C-Builtins PRs and Issues related to builtins/intrinsics C-Tests Issues and PRs related to the tests.

Projects

None yet

Milestone

v1.0.0

Development

Successfully merging this pull request may close these issues.

CI: pin third-party GitHub Actions to specific commit SHAs for security

2 participants

@RishavTiwari25 @jedel1043