You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason is that versions of actions/download-artifact before 4.1.3 have a known vulnerability. While the repos use v4 which is supposed to pull the latest version of the GitHub Action, the issue is that the users have no control on the specific version of actions/download-artifact . To make sure the repos we identified definitely use a fixed version, they can pin the Action to the immutable commit SHA, e.g., uses: actions/download-artifact@95815c3 # v4.2.1
In general, it is advised that all the GitHub Actions are pinned to the commit SHA and avoid using tags because if the Action is compromised, we guarantee that we don't run the malicious code."
actions/upload-artifact@v4 and actions/download-artifact@v4 typically work together.
Since we have decided to use the commit hash approach instead of tags to modify actions/download-artifact@v4, it would be best to ensure both workflows are updated with the same pattern.
I spoke to the Security Team and they are requesting that the action references be pinned to specific SHA commits:
To ensure you're using an immutable version of a GitHub Action, it's important to pin it to a specific commit SHA. If you reference an Action by tag, and the tag is later moved or the Action is compromised, your workflows may unknowingly execute altered or malicious code. Pinning to a SHA prevents this by ensuring that your workflow always uses the exact version you reviewed and approved.
It's also a good practice to include the version string in a comment, as shown in the example. This helps tools like Dependabot keep your dependencies up to date by updating both the version string and the associated commit SHA when a new version is released.
OCA VerifiedAll contributors have signed the Oracle Contributor Agreement.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
oracle-contributor-agreement
bot
added
the
OCA Verified
Background of this PR
In light of recent incidents involving GitHub Actions ( https://www.stepsecurity.io/blog/reviewdog-github-actions-are-compromised, https://www.theregister.com/2025/03/17/supply_chain_attack_github/) the OGHO Team with the recommendation from oracle/macaron team would like to ask you to pin the actions/download-artifact @v4 action with immutable commit.
For example: uses: actions/download-artifact@95815c3 # v4.2.1
The reason is that versions of actions/download-artifact before 4.1.3 have a known vulnerability. While the repos use v4 which is supposed to pull the latest version of the GitHub Action, the issue is that the users have no control on the specific version of actions/download-artifact . To make sure the repos we identified definitely use a fixed version, they can pin the Action to the immutable commit SHA, e.g., uses: actions/download-artifact@95815c3 # v4.2.1
In general, it is advised that all the GitHub Actions are pinned to the commit SHA and avoid using tags because if the Action is compromised, we guarantee that we don't run the malicious code."
"You can read more about this here"
More about this PR
Test
Test passed for all build workflows.
