Part of the cross-SDK dependency pinning audit — #6239.
Several GitHub Actions in our CI workflows were referenced by mutable version tags (e.g. @v7) instead of full commit SHAs. Mutable tags can be force-pushed upstream, posing a supply chain risk.
Actions to pin:
actions/upload-artifact@v7actions/download-artifact@v8actions/github-script@v9actions/setup-java@v5actions/checkout@v6 (one instance in detect-changes.yml)actions/cache@v5ruby/setup-ruby@v1getsentry/release-comment-issues-gh-action@v1getsentry/github-workflows/updater@v3
Fix: Pin each to its current commit SHA with the version tag preserved as a comment. Dependabot (already configured for github-actions) will propose updates when new versions are released.
Part of the cross-SDK dependency pinning audit — #6239.
Several GitHub Actions in our CI workflows were referenced by mutable version tags (e.g.
@v7) instead of full commit SHAs. Mutable tags can be force-pushed upstream, posing a supply chain risk.Actions to pin:
actions/upload-artifact@v7actions/download-artifact@v8actions/github-script@v9actions/setup-java@v5actions/checkout@v6(one instance indetect-changes.yml)actions/cache@v5ruby/setup-ruby@v1getsentry/release-comment-issues-gh-action@v1getsentry/github-workflows/updater@v3Fix: Pin each to its current commit SHA with the version tag preserved as a comment. Dependabot (already configured for
github-actions) will propose updates when new versions are released.