ci: pin GitHub Actions to SHAs#2292
Merged
bjohansebas merged 1 commit intoexpressjs:redesignfrom Apr 25, 2026
Merged
Conversation
Resolve all tag-referenced actions in .github/workflows/ to full commit SHAs, preserving the original tag as an inline comment.
✅ Deploy Preview for expressjscom-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
krzysdz
approved these changes
Apr 22, 2026
Contributor
krzysdz
left a comment
krzysdz
left a comment
There was a problem hiding this comment.
Verified all manually (only if hashes match versions; not a code audit). Some actions use different versions in different jobs and some don't use the latest version:
actions/setup-node- v4 is used once, rest (3) uses v6 (latest version)actions/upload-artifact- v7 is available, v4 is used in 2 jobs, v6 is used in 1 jobactions/download-artifact- v8 is available, v4 is used in 1 jobactions/deploy-pages- v5 is available, v4 is used in 1 jobactions/cache- v5 is available, v4 is used in 1 job
I did not check compatibility or review changes (some releases have only a few days and if we pin versions for security reason, the code probably should be audited when the version changes).
github/codeql-action/* actions probably don't require pinning by hash, because releases (and corresponding tags) are immutable. A patch version tag (e.g. v4.35.2) should always point to the same commit if we trust GitHub to have implemented this feature correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Problem
We want to ensure that our actions are pinned so we dont get rekt in a takeover
The Solution
SHA pin all the actions being used on the redesign branch.
SHAs were resolved via
gh api repos/OWNER/REPO/commits/TAG --jq .shaThe main branch wasnt all pinned, so the lack of pinning wasnt necessarily new to the redesign, but this PR ensures that we pin them all.