Skip to content

Use SHA for action #50250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 2, 2025
Merged

Use SHA for action #50250

merged 2 commits into from
Dec 2, 2025

Conversation

@gewarren
Copy link
Contributor

@gewarren gewarren commented Dec 1, 2025
edited by github-actions bot
Loading

Copilot AI review requested due to automatic review settings December 1, 2025 22:05
@gewarren gewarren requested a review from a team as a code owner December 1, 2025 22:05
@dotnetrepoman dotnetrepoman bot added this to the December 2025 milestone Dec 1, 2025
@gewarren gewarren enabled auto-merge (squash) December 1, 2025 22:05
Copilot finished reviewing on behalf of gewarren December 1, 2025 22:08
Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by replacing semantic version tags with commit SHA references for the peter-evans/create-pull-request action across multiple GitHub workflow files. Using SHA references provides immutable references that prevent potential supply chain attacks through tag manipulation.

  • Replaces peter-evans/create-pull-request@v7 with the specific SHA 84ae59a2cdc2258d6fa0732dd66352dddae2a412
  • Updates 8 workflow files consistently with the same SHA reference
  • Aligns with GitHub Actions security best practices for pinning dependencies

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
.github/workflows/dependabot-bot.yml Updates action reference in the dependabot configuration update workflow
.github/workflows/cleanrepo-replace-redirects.yml Updates action reference in the redirect replacement cleanup workflow
.github/workflows/cleanrepo-relative-links.yml Updates action reference in the relative links cleanup workflow
.github/workflows/cleanrepo-redirect-hops.yml Updates action reference in the redirect hops removal workflow
.github/workflows/cleanrepo-orphaned-snippets.yml Updates action reference in the orphaned snippets cleanup workflow
.github/workflows/cleanrepo-orphaned-includes.yml Updates action reference in the orphaned includes cleanup workflow
.github/workflows/cleanrepo-orphaned-images.yml Updates action reference in the orphaned images cleanup workflow
.github/workflows/cleanrepo-orphaned-articles.yml Updates action reference in the orphaned articles cleanup workflow

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

BillWagner
BillWagner approved these changes Dec 1, 2025
View reviewed changes
Copy link
Member

@BillWagner BillWagner left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM. Let's :shipit:

I'm fine with ignoring the Copilot comments. Dependabot will add those when a new version comes out.

@gewarren gewarren merged commit 53e4ae0 into dotnet:main Dec 2, 2025
9 checks passed
@gewarren gewarren deleted the sha branch December 2, 2025 17:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BillWagner BillWagner BillWagner approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

December 2025

Development

Successfully merging this pull request may close these issues.

2 participants

@gewarren @BillWagner