Skip to content

chore: pin GitHub Actions to commit SHAs#726

Merged
lwshang merged 8 commits intomasterfrom
chore/pin-actions-to-sha
Apr 9, 2026
Merged

chore: pin GitHub Actions to commit SHAs#726
lwshang merged 8 commits intomasterfrom
chore/pin-actions-to-sha

Conversation

@slawomirbabicz
Copy link
Copy Markdown
Contributor

@slawomirbabicz slawomirbabicz commented Apr 8, 2026

Pin GitHub Actions to commit SHAs

GitHub Actions referenced by tag (e.g. actions/checkout@v4) use a mutable pointer — the tag owner can move it to a different commit at any time, including a malicious one. This is the attack vector used in the tj-actions/changed-files incident (CVE-2025-30066).

Pinning to a full 40-character commit SHA makes the reference immutable. The # tag comment preserves human readability so reviewers can tell which version is pinned.

Important: a SHA can also originate from a forked repository. A malicious actor can fork an action, push a compromised commit to the fork, and the SHA will resolve — but it won't exist in the upstream canonical repo. Each SHA in this PR was verified against the action's canonical repository (not a fork).

Changes

  • actions/checkout@v4 -> actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

  • actions/setup-python@v4 -> actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1

  • actions/cache@v4 -> actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0

  • thollander/actions-comment-pull-request@v2 -> thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0

  • cachix/install-nix-action@v12 -> cachix/install-nix-action@07da2520eebede906fbeefa9dd0a2b635323909d # v12

  • actions/checkout@v3 -> actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

  • EmbarkStudios/cargo-deny-action@v1 -> EmbarkStudios/cargo-deny-action@3f4a782664881cf5725d0ffd23969fcce89fd868 # v1.6.3

  • actions/checkout@v6 -> actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

  • actions-rust-lang/setup-rust-toolchain@v1 -> actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4

  • rust-lang/crates-io-auth-action@v1 -> rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1

  • actions-rs/cargo@v1 -> actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1.0.3

  • actions/upload-artifact@v4 -> actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

  • actions/download-artifact@v4 -> actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0

    • Version: v4.3.0 | Latest: v3.1.0-node20 | Release age: 22d
    • Commit: actions/download-artifact@d3f86a1
    • Warnings: 1 security advisory(ies) found, Action has 1 known advisory(ies)

  • svenstaro/upload-release-action@v2 -> svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # 2.11.5

  • actions/setup-node@v4 -> actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0

  • pnpm/action-setup@v3 -> pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3

Files modified

  • .github/workflows/bench.yml
  • .github/workflows/coq.yml
  • .github/workflows/license.yml
  • .github/workflows/publish.yml
  • .github/workflows/release.yml
  • .github/workflows/rust.yml
  • .github/workflows/tools.yml

Security warnings

  • 1 security advisory(ies) found
  • Action has 1 known advisory(ies)

@slawomirbabicz slawomirbabicz requested a review from a team as a code owner April 8, 2026 14:37
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 8, 2026
edited
Loading

Name Max Mem (Kb) Encode Decode
blob 4_224 4_207_756 2_122_083
btreemap 75_456 536_171_057 10_185_892_755
double_option 128 1_321_763 ($\textcolor{green}{-0.01\%}$) 28_922_393
large_variant 320 1_045_484 ($\textcolor{green}{-0.02\%}$) 21_225_794
multi_arg 64 551_056 ($\textcolor{green}{-0.02\%}$) 6_594_641
nns 192 2_027_160 ($\textcolor{green}{-0.01\%}$) 5_656_329 ($\textcolor{red}{0.07\%}$)
nns_list_neurons 1_152 6_650_608 ($\textcolor{red}{0.00\%}$) 220_248_227 ($\textcolor{red}{0.00\%}$)
nns_list_proposal 1_216 7_046_366 ($\textcolor{red}{0.06\%}$) 60_862_842 ($\textcolor{green}{-0.03\%}$)
option_list 128 717_275 16_789_150
result_variant 192 1_325_080 ($\textcolor{red}{0.03\%}$) 17_993_824
subtype_decode 512 2_654_127 ($\textcolor{green}{-0.04\%}$) 50_815_825 ($\textcolor{red}{0.00\%}$)
text 6_336 4_204_597 7_877_544
variant_list 128 711_413 15_981_399
vec_int16 12_480 8_405_171 249_586_296
vec_nat 11_008 67_096_148 277_077_517
vec_nat32 24_768 16_793_779 243_295_129
vec_nat64 49_344 33_570_977 251_684_001
vec_service 64 781_319 96_311_260 ($\textcolor{red}{0.08\%}$)
wide_record 1_152 3_271_804 ($\textcolor{green}{-0.02\%}$) 48_410_050 ($\textcolor{green}{-0.00\%}$)
  • Parser cost: 16_174_059
  • Extra args: 2_859_731 ($\textcolor{red}{0.00\%}$)
Click to see raw report 
---------------------------------------------------

Benchmark: blob
  total:
    instructions: 6.33 M (no change)
    heap_increase: 66 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 4.21 M (no change)
    heap_increase: 66 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 2.12 M (no change)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: btreemap
  total:
    instructions: 10.72 B (no change)
    heap_increase: 1179 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 536.17 M (no change)
    heap_increase: 159 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 10.19 B (no change)
    heap_increase: 1020 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: double_option
  total:
    instructions: 30.25 M (-0.00%) (change within noise threshold)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 1.32 M (-0.01%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 28.92 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: extra_args
  total:
    instructions: 2.86 M (0.00%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: large_variant
  total:
    instructions: 22.27 M (-0.00%) (change within noise threshold)
    heap_increase: 5 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 1.05 M (-0.02%) (change within noise threshold)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 21.23 M (no change)
    heap_increase: 3 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: multi_arg
  total:
    instructions: 7.15 M (-0.00%) (change within noise threshold)
    heap_increase: 1 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 551.06 K (-0.02%) (change within noise threshold)
    heap_increase: 1 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 6.59 M (no change)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: nns
  total:
    instructions: 24.70 M (0.02%) (change within noise threshold)
    heap_increase: 3 pages (no change)
    stable_memory_increase: 0 pages (no change)

  0. Parsing (scope):
    calls: 1 (no change)
    instructions: 16.17 M (no change)
    heap_increase: 3 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 2.03 M (-0.01%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 5.66 M (0.07%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: nns_list_neurons
  total:
    instructions: 226.90 M (0.00%) (change within noise threshold)
    heap_increase: 18 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 6.65 M (0.00%) (change within noise threshold)
    heap_increase: 18 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 220.25 M (0.00%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: nns_list_proposal
  total:
    instructions: 67.91 M (-0.02%) (change within noise threshold)
    heap_increase: 19 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 7.05 M (0.06%) (change within noise threshold)
    heap_increase: 5 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 60.86 M (-0.03%) (change within noise threshold)
    heap_increase: 14 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: option_list
  total:
    instructions: 17.51 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 717.27 K (no change)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 16.79 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: result_variant
  total:
    instructions: 19.32 M (0.00%) (change within noise threshold)
    heap_increase: 3 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 1.33 M (0.03%) (change within noise threshold)
    heap_increase: 1 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 17.99 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: subtype_decode
  total:
    instructions: 53.47 M (-0.00%) (change within noise threshold)
    heap_increase: 8 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 2.65 M (-0.04%) (change within noise threshold)
    heap_increase: 8 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 50.82 M (0.00%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: text
  total:
    instructions: 12.08 M (no change)
    heap_increase: 99 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 4.20 M (no change)
    heap_increase: 66 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 7.88 M (no change)
    heap_increase: 33 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: variant_list
  total:
    instructions: 16.70 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 711.41 K (no change)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 15.98 M (no change)
    heap_increase: 2 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: vec_int16
  total:
    instructions: 257.99 M (no change)
    heap_increase: 195 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 8.41 M (no change)
    heap_increase: 130 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 249.59 M (no change)
    heap_increase: 65 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: vec_nat
  total:
    instructions: 344.18 M (no change)
    heap_increase: 172 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 67.10 M (no change)
    heap_increase: 33 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 277.08 M (no change)
    heap_increase: 139 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: vec_nat32
  total:
    instructions: 260.09 M (no change)
    heap_increase: 387 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 16.79 M (no change)
    heap_increase: 258 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 243.30 M (no change)
    heap_increase: 129 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: vec_nat64
  total:
    instructions: 285.26 M (no change)
    heap_increase: 771 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 33.57 M (no change)
    heap_increase: 514 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 251.68 M (no change)
    heap_increase: 257 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: vec_service
  total:
    instructions: 97.09 M (0.08%) (change within noise threshold)
    heap_increase: 1 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 781.32 K (no change)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 96.31 M (0.08%) (change within noise threshold)
    heap_increase: 1 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Benchmark: wide_record
  total:
    instructions: 51.68 M (-0.00%) (change within noise threshold)
    heap_increase: 18 pages (no change)
    stable_memory_increase: 0 pages (no change)

  1. Encoding (scope):
    calls: 1 (no change)
    instructions: 3.27 M (-0.02%) (change within noise threshold)
    heap_increase: 18 pages (no change)
    stable_memory_increase: 0 pages (no change)

  2. Decoding (scope):
    calls: 1 (no change)
    instructions: 48.41 M (-0.00%) (change within noise threshold)
    heap_increase: 0 pages (no change)
    stable_memory_increase: 0 pages (no change)

---------------------------------------------------

Summary:
  instructions:
    status:   No significant changes 👍
    counts:   [total 20 | regressed 0 | improved 0 | new 0 | unchanged 20]
    change:   [max +80.00K | p75 0 | median 0 | p25 -81 | min -10.68K]
    change %: [max +0.08% | p75 0.00% | median 0.00% | p25 -0.00% | min -0.02%]

  heap_increase:
    status:   No significant changes 👍
    counts:   [total 20 | regressed 0 | improved 0 | new 0 | unchanged 20]
    change:   [max 0 | p75 0 | median 0 | p25 0 | min 0]
    change %: [max 0.00% | p75 0.00% | median 0.00% | p25 0.00% | min 0.00%]

  stable_memory_increase:
    status:   No significant changes 👍
    counts:   [total 20 | regressed 0 | improved 0 | new 0 | unchanged 20]
    change:   [max 0 | p75 0 | median 0 | p25 0 | min 0]
    change %: [max 0.00% | p75 0.00% | median 0.00% | p25 0.00% | min 0.00%]

---------------------------------------------------
Successfully persisted results to canbench_results.yml

@lwshang lwshang merged commit 39ef098 into master Apr 9, 2026
11 checks passed
@lwshang lwshang deleted the chore/pin-actions-to-sha branch April 9, 2026 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lwshang lwshang lwshang approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slawomirbabicz @lwshang