Pin GitHub Actions by SHA and add 5-day Dependabot cooldown#7880
Merged
Conversation
Agent-Logs-Url: https://github.com/microsoft/CCF/sessions/25b96e7d-9588-458c-8161-0ca89ac22c99 Co-authored-by: achamayou <4016369+achamayou@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
achamayou
May 12, 2026 15:27
View session
Member
|
@copilot did you miss an actions or workflows? |
Contributor
Author
Double-checked: all 12 files under |
achamayou
approved these changes
May 12, 2026
maxtropets
approved these changes
May 12, 2026
cjen1-msft
approved these changes
May 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Hardens the CI supply chain by pinning all GitHub Actions workflow uses: references to immutable commit SHAs, and updates Dependabot scheduling to control when workflow dependency updates are proposed.
Changes:
- Pin all GitHub Actions and third-party action references in workflows from
@<tag>/@mainto@<sha> # <tag>. - Pin
bencherdev/bencherto thev0.6.5commit SHA rather than a moving branch. - Update Dependabot’s
github-actionsschedule todailyand add a proposed 5-day delay before surfacing updates.
Custom instructions used:
.github/copilot-instructions.md.github/instructions/reviewing.instructions.md.github/instructions/changelog.instructions.md
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/release.yml | Pins checkout, upload-artifact, and download-artifact actions to SHAs. |
| .github/workflows/release-attestation.yml | Pins attest-build-provenance to a SHA. |
| .github/workflows/pypi.yml | Pins checkout to a SHA. |
| .github/workflows/npm.yml | Pins checkout and setup-node to SHAs. |
| .github/workflows/long-verification.yml | Pins checkout and upload-artifact to SHAs. |
| .github/workflows/long-test.yml | Pins checkout and upload-artifact to SHAs. |
| .github/workflows/doc.yml | Pins Pages-related actions (configure-pages, upload-pages-artifact, deploy-pages) to SHAs. |
| .github/workflows/codeql-analysis.yml | Pins checkout and CodeQL actions (init, analyze) to SHAs. |
| .github/workflows/ci.yml | Pins checkout and upload-artifact to SHAs across CI jobs. |
| .github/workflows/ci-verification.yml | Pins checkout and upload-artifact to SHAs in verification jobs. |
| .github/workflows/bencher.yml | Pins checkout, upload-artifact, and bencherdev/bencher to SHAs. |
| .github/workflows/bencher-ab.yml | Pins checkout, upload-artifact, and download-artifact to SHAs. |
| .github/dependabot.yml | Switches github-actions updates to daily and adds a 5-day “cooldown” stanza. |
achamayou
approved these changes
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the supply chain of our GitHub Actions workflows by pinning every action reference to an immutable commit SHA, and configures Dependabot to wait 5 days after a new release before opening an update PR.
Changes
.github/workflows/*.yml(12 files)Every
uses:line is rewritten fromowner/action@<tag>toowner/action@<40-char-sha> # <tag>. The trailing comment preserves the human-readable tag so reviewers can see at a glance which version is pinned, and Dependabot recognises this format and will update both the SHA and the comment together.Resolved pins:
actions/attest-build-provenancev4a2bbfa2…actions/checkoutv6de0fac2…actions/configure-pagesv645bfe01…actions/deploy-pagesv5cd2ce8f…actions/download-artifactv83e5f45b…actions/setup-nodev648b55a0…actions/upload-artifactv7043fb46…actions/upload-pages-artifactv5fc324d3…github/codeql-action/{init,analyze}v468bde55…bencherdev/bencherv0.6.599117a6…bencherdev/bencher— behaviour change to flagPreviously referenced as
@main, a moving branch with no release semantics. It is now pinned to the SHA of the latest release tag (v0.6.5), which happens to be the same commitmaincurrently points at. Going forward, Dependabot will propose updates only when a new release tag is published, rather than every commit landing onmain. Please confirm this is the desired behaviour..github/dependabot.ymlAdded a 5-day
cooldownfor thegithub-actionsecosystem and switched its schedule todailyso updates land promptly once the cooldown elapses. Thenpmandpipecosystems are unchanged.The 5-day delay is a deliberate trade-off: it reduces the risk of pulling in a freshly tagged-but-compromised release, at the cost of delaying legitimate security fixes to Actions by up to 5 days. Actions only run in CI (not in production), so this is a reasonable balance.
Verification
CHANGELOG.mdentry is required (CI-only change, not user-facing).