chore: Pin GitHub Actions jobs to SHA hashes for security.#3260
Open
connorshea wants to merge 1 commit intomainfrom
Open
chore: Pin GitHub Actions jobs to SHA hashes for security.#3260connorshea wants to merge 1 commit intomainfrom
connorshea wants to merge 1 commit intomainfrom
Conversation
And also set `persist-credentials: false` on some uses of checkout actions that didn't need it. These were detected/partially auto-fixed by Zizmor: https://github.com/zizmorcore/zizmor
There was a problem hiding this comment.
Pull request overview
Pins GitHub Actions used by the repo’s CI workflows to specific commit SHAs and tightens checkout behavior to reduce supply-chain risk and avoid persisting credentials where not needed.
Changes:
- Pin
actions/checkout,ruby/setup-ruby, andgithub/codeql-actionto commit SHAs (with version comments). - Set
persist-credentials: falseforactions/checkoutsteps across workflows.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/ruby.yml | Pin checkout/setup-ruby actions to SHAs; disable persisted credentials for checkout in test/lint jobs. |
| .github/workflows/codeql.yml | Pin checkout and CodeQL actions to SHAs; disable persisted credentials for checkout. |
| .github/workflows/bench.yml | Pin checkout/setup-ruby actions to SHAs; disable persisted credentials for checkout. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation / Background
This PR has been created to pin GitHub Actions to SHA hashes, to prevent supply chain attacks if any of these Actions end up compromised and release a new version with malicious code.
It'd be a good idea to also enforce that SHA hashes be used in the repo settings, if that's desired.
I've updated all of the actions used to their latest versions (most already were there).
Dependanbot will still be able to update these actions and will keep the SHA hashes accordingly.
I've also set
persist-credentials: falseon some uses of checkout actions that didn't need it.All of these were detected/partially auto-fixed by Zizmor: https://github.com/zizmorcore/zizmor
Additional information
We could opt not to do this, but there aren't really any downsides that I'm aware of.
Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]