Summary
Some GitHub Actions workflows still reference mutable version tags such as actions/checkout@v4, actions/setup-python@v6, github/codeql-action/*@v4, and similar action tags.
Why
Pinning actions to immutable commit SHAs reduces supply-chain risk from tag movement or compromised upstream release tags. Some actions are already pinned in this repository, so this issue is about completing that hardening consistently.
Proposed direction
- Replace remaining tag-based
uses: references with commit SHAs.
- Keep comments indicating the friendly version tag, for example
# v4.
- Let Dependabot continue to propose updates.
Acceptance criteria
- All
.github/workflows/*.yml action references are pinned to SHAs.
- Existing workflow behavior is unchanged.
- Comments preserve human-readable action versions where useful.
Summary
Some GitHub Actions workflows still reference mutable version tags such as
actions/checkout@v4,actions/setup-python@v6,github/codeql-action/*@v4, and similar action tags.Why
Pinning actions to immutable commit SHAs reduces supply-chain risk from tag movement or compromised upstream release tags. Some actions are already pinned in this repository, so this issue is about completing that hardening consistently.
Proposed direction
uses:references with commit SHAs.# v4.Acceptance criteria
.github/workflows/*.ymlaction references are pinned to SHAs.