Skip to content

Add lint rule to enforce SHA pinning for third-party GitHub Actions#12796

Merged
petebacondarwin merged 4 commits intomainfrom
enforce-action-sha-pinning
Mar 11, 2026
Merged

Add lint rule to enforce SHA pinning for third-party GitHub Actions#12796
petebacondarwin merged 4 commits intomainfrom
enforce-action-sha-pinning

Conversation

@petebacondarwin
Copy link
Contributor

@petebacondarwin petebacondarwin commented Mar 6, 2026
edited by devin-ai-integration bot
Loading

N/A - follow-up to #12793, no issue.

Add a validation script that runs as part of pnpm check to enforce that all third-party GitHub Actions are pinned to full commit SHAs rather than mutable tags or branch references. This prevents future regressions after the pinning done in #12793.

What's included:

  • tools/github-workflow-helpers/validate-action-pinning.ts — Scans all .github/workflows/*.yml and .github/actions/*/action.yml files for uses: directives. Third-party actions must reference a 40-char commit SHA. First-party actions/* and local ./ actions are exempt.
  • tools/github-workflow-helpers/__tests__/validate-action-pinning.test.ts — 12 test cases covering pinned SHAs, tags, semver, branches, first-party actions, local actions, composite actions, multi-file errors, and line number reporting.
  • package.json — New check:workflows script wired into the pnpm check pipeline between check:deployments and lint-turbo.mjs.
  • Tests
    • Tests included/updated
    • Automated tests not possible - manual testing has been completed as follows:
    • Additional testing not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because: internal CI tooling change only
Open with Devin

@changeset-bot
Copy link

changeset-bot bot commented Mar 6, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: c473c06

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Mar 6, 2026
@pkg-pr-new
Copy link

pkg-pr-new bot commented Mar 6, 2026
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12796

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12796

miniflare

npm i https://pkg.pr.new/miniflare@12796

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12796

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12796

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12796

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12796

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12796

wrangler

npm i https://pkg.pr.new/wrangler@12796

commit: c17d774

@petebacondarwin petebacondarwin force-pushed the enforce-action-sha-pinning branch from 14bfc58 to 23c7bf5 Compare March 6, 2026 19:25
@petebacondarwin petebacondarwin marked this pull request as ready for review March 7, 2026 07:52
@petebacondarwin petebacondarwin requested a review from a team as a code owner March 7, 2026 07:52
@workers-devprod
Copy link
Contributor

workers-devprod commented Mar 7, 2026
edited
Loading

Codeowners approval required for this PR:

  • ✅ @cloudflare/wrangler
Show detailed file reviewers

devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

@petebacondarwin petebacondarwin force-pushed the enforce-action-sha-pinning branch from b42e795 to ac4c6b7 Compare March 10, 2026 09:48
devin-ai-integration[bot]

This comment was marked as resolved.

Sign in to view

dario-piotrowicz
dario-piotrowicz approved these changes Mar 10, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Mar 10, 2026
@petebacondarwin petebacondarwin force-pushed the enforce-action-sha-pinning branch from 799372e to 7732ff3 Compare March 11, 2026 09:53
petebacondarwin and others added 4 commits March 11, 2026 14:09
@petebacondarwin
Add lint rule to enforce SHA pinning for third-party GitHub Actions
b348c9f 
Add a validation script that checks all workflow and composite action
files to ensure third-party GitHub Actions are pinned to full commit
SHAs rather than mutable tags or branch references. First-party
actions/* are exempt.

- New script: tools/github-workflow-helpers/validate-action-pinning.ts
- New tests: tools/github-workflow-helpers/__tests__/validate-action-pinning.test.ts
- Wired into pnpm check via new check:workflows script in root package.json
@petebacondarwin @devin-ai-integration
Update tools/github-workflow-helpers/validate-action-pinning.ts
83e2bda 
Co-authored-by: devin-ai-integration[bot] <158243242+devin-ai-integration[bot]@users.noreply.github.com>
@petebacondarwin
Pin ask-bonk/ask-bonk GitHub Action to commit SHA
3f92583
@petebacondarwin
Address PR review: use JSDoc tags, fix error message, add missing test
c473c06
@petebacondarwin petebacondarwin force-pushed the enforce-action-sha-pinning branch from 7732ff3 to c473c06 Compare March 11, 2026 14:09
@petebacondarwin petebacondarwin merged commit 5d49380 into main Mar 11, 2026
48 of 51 checks passed
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Mar 11, 2026
@petebacondarwin petebacondarwin deleted the enforce-action-sha-pinning branch March 11, 2026 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@dario-piotrowicz dario-piotrowicz dario-piotrowicz approved these changes

Assignees

No one assigned

Labels

no-changeset-required

Projects

workers-sdk
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@petebacondarwin @workers-devprod @dario-piotrowicz