Skip to content

security: pin GitHub Actions to immutable SHA hashes#9046

Open
Ankitsinghsisodya wants to merge 2 commits intoknative:mainfrom
Ankitsinghsisodya:ci/sha-pinning
Open

security: pin GitHub Actions to immutable SHA hashes#9046
Ankitsinghsisodya wants to merge 2 commits intoknative:mainfrom
Ankitsinghsisodya:ci/sha-pinning

Conversation

@Ankitsinghsisodya
Copy link
Copy Markdown
Contributor

@Ankitsinghsisodya Ankitsinghsisodya commented Apr 22, 2026
edited
Loading

Summary

Mutable tags (v0.9, v2.1.0, v4, v6) can be silently moved to a different commit, making CI vulnerable to supply-chain attacks. Pinning third-party actions to their exact commit SHA ensures the code that ran during review is the code that runs in production.

Pinned in kind-e2e.yaml:

Action Tag Commit SHA
ko-build/setup-ko v0.9 d006021b
actions/checkout v4 34e11487
rtCamp/action-slack-notify v2.1.0 e17352fe

Pinned in knative-downstream.yaml:

Action Tag Commit SHA
actions/checkout v6 de0fac2e

Left unpinned intentionally:

  • knative/actions/*@main — Knative's own reusable actions follow a rolling @main convention by design
  • chainguard-dev/actions/setup-kind — already pinned to a SHA in both files

Test plan

  • Confirm both workflows pass with the SHA-pinned actions

Automated updates for pinned actions

This repo already configures Dependabot for GitHub Actions in .github/.dependabot.yaml (package-ecosystem: github-actions, weekly interval). Dependabot opens PRs when new releases move the tag that corresponds to a pinned action, so SHA pins do not go stale without review.

Copilot AI review requested due to automatic review settings April 22, 2026 18:32
@knative-prow knative-prow Bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Apr 22, 2026
@knative-prow
Copy link
Copy Markdown

knative-prow Bot commented Apr 22, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Ankitsinghsisodya
Once this PR has been reviewed and has the lgtm label, please assign creydr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow Bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 22, 2026
@knative-prow
Copy link
Copy Markdown

knative-prow Bot commented Apr 22, 2026

Hi @Ankitsinghsisodya. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@knative-prow knative-prow Bot requested review from Leo6Leo and matzew April 22, 2026 18:32
Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Pins third-party GitHub Actions to immutable commit SHAs to reduce supply-chain risk from mutable tags.

Changes:

  • Pin actions/checkout to a specific commit SHA in knative-downstream.yaml.
  • Pin ko-build/setup-ko, actions/checkout, and rtCamp/action-slack-notify to specific commit SHAs in kind-e2e.yaml.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/knative-downstream.yaml Replaces actions/checkout tag references with a pinned commit SHA.
.github/workflows/kind-e2e.yaml Replaces action tags for ko setup, checkout, and Slack notify with pinned commit SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/kind-e2e.yaml Outdated
Comment thread .github/workflows/knative-downstream.yaml Outdated
Comment thread .github/workflows/knative-downstream.yaml Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 22, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 51.05%. Comparing base (9ba4c6c) to head (279b9f7).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #9046   +/-   ##
=======================================
  Coverage   51.05%   51.05%           
=======================================
  Files         409      409           
  Lines       21997    21997           
=======================================
+ Hits        11230    11231    +1     
+ Misses       9905     9902    -3     
- Partials      862      864    +2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@knative-prow-robot knative-prow-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 25, 2026
@Ankitsinghsisodya
security: pin GitHub Actions to immutable SHA hashes
6b8d480 
Mutable tags (v0.9, v2.1.0, v4, v6) can be silently moved to a
different commit, making CI vulnerable to supply-chain attacks. Pinning
third-party actions to their exact commit SHA ensures the code that ran
in review is the code that runs in production.

Pinned:
- ko-build/setup-ko        v0.9  -> d006021b
- actions/checkout         v4    -> 34e11487  (kind-e2e.yaml)
- actions/checkout         v6    -> de0fac2e  (knative-downstream.yaml)
- rtCamp/action-slack-notify v2.1.0 -> e17352fe

knative/actions@main is intentionally left unpinned — Knative's own
reusable actions follow a rolling @main convention by design.
chainguard-dev/actions/setup-kind was already pinned to a SHA.
@Ankitsinghsisodya
ci: document Dependabot for pinned actions and add provenance comments
279b9f7 
- Note in workflow headers that .github/.dependabot.yaml bumps pinned
  third-party actions on a weekly schedule (addresses supply-chain
  review feedback about SHA pins not auto-updating).
- Expand inline comments to full action@tag plus upstream release URL
  for checkout, setup-ko, and slack-notify pins.
@knative-prow-robot knative-prow-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Apr 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Leo6Leo Leo6Leo Awaiting requested review from Leo6Leo

@matzew matzew Awaiting requested review from matzew

Assignees

No one assigned

Labels

needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Ankitsinghsisodya @knative-prow-robot