fix(templates): pin release-generic.yml actions to commit SHAs#46
Conversation
Opengrep's github-actions-mutable-action-tag rule flags the six `@vN` action refs in the shipped release template. Pin each to its release commit SHA with a version comment; refs bumped to current majors (checkout v7, cosign-installer v4, attest-build-provenance v4, action-gh-release v3, sbom-action v0.24). Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
|
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Actions workflow in skills/github-release/templates/release-generic.yml to pin action versions to specific commit SHAs instead of mutable tags (such as actions/checkout, anchore/sbom-action, sigstore/cosign-installer, actions/attest-build-provenance, and softprops/action-gh-release). This is a security hardening practice to prevent untrusted code execution from tag modifications. There are no review comments, and I have no feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
Pins third-party GitHub Actions used by the skills/github-release “release-generic” workflow template to immutable commit SHAs (with version comments), addressing the mutable-tag security findings referenced in #45 while keeping the workflow’s inputs/configuration the same.
Changes:
- Replaced mutable
@vNaction references with full commit SHAs foractions/checkout,anchore/sbom-action,sigstore/cosign-installer,actions/attest-build-provenance, andsoftprops/action-gh-release. - Added inline version comments (e.g.,
# vX.Y.Z) to preserve human-readable version context.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.



Pins the six mutable
@vNaction refs inskills/github-release/templates/release-generic.ymlto commit SHAs (with version comments), clearing theyaml.github-actions.security.github-actions-mutable-action-tagOpengrep findings that showed on #45.Refs pinned to current majors: checkout v7.0.0, sbom-action v0.24.0, cosign-installer v4.1.2, attest-build-provenance v4.1.1, action-gh-release v3.0.1. Inputs used by the template are unchanged across these majors.