Skip to content

Pin GitHub Actions#316

Merged
krisztianfekete merged 1 commit into
masterfrom
superq/update_actions
Jul 7, 2026
Merged

Pin GitHub Actions#316
krisztianfekete merged 1 commit into
masterfrom
superq/update_actions

Conversation

@SuperQ

@SuperQ SuperQ commented Jul 4, 2026

Copy link
Copy Markdown
Member

Pin GitHub actions for supply chain security.

  • Mark dependabot config to be skipped by repo sync.

@SuperQ SuperQ requested a review from krisztianfekete July 4, 2026 12:33
@SuperQ SuperQ force-pushed the superq/update_actions branch from e1a5550 to 6f03238 Compare July 4, 2026 12:36

@krisztianfekete krisztianfekete left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, I am not able to find 3 SHAs, can you please check those?

Comment thread .github/workflows/rust.yml Outdated
steps:
- name: Install Protoc
uses: arduino/setup-protoc@v1
uses: arduino/setup-protoc@f4d5893b897028ff5739576ea0409746887fa536 # v3.0.0

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, where is this SHA coming from? I can see a different one for v3.0.0.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, my script for this pulls from the github releases API. Let me see why this is a weird SHA.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wat?

$ gh api "repos/arduino/setup-protoc/git/ref/tags/v3.0.0"
{
  "ref": "refs/tags/v3.0.0",
  "node_id": "MDM6UmVmMjE2Nzk3NDU4OnJlZnMvdGFncy92My4wLjA=",
  "url": "https://api.github.com/repos/arduino/setup-protoc/git/refs/tags/v3.0.0",
  "object": {
    "sha": "f4d5893b897028ff5739576ea0409746887fa536",
    "type": "tag",
    "url": "https://api.github.com/repos/arduino/setup-protoc/git/tags/f4d5893b897028ff5739576ea0409746887fa536"
  }
}

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Weird, it seems like the tag SHA is different from the commit SHA?

{
  "node_id": "TA_kwDODOwREtoAKGY0ZDU4OTNiODk3MDI4ZmY1NzM5NTc2ZWEwNDA5NzQ2ODg3ZmE1MzY",
  "sha": "f4d5893b897028ff5739576ea0409746887fa536",
  "url": "https://api.github.com/repos/arduino/setup-protoc/git/tags/f4d5893b897028ff5739576ea0409746887fa536",
  "tagger": {
    "name": "Alessio Perugini",
    "email": "alessioper.98@gmail.com",
    "date": "2024-01-31T16:07:01Z"
  },
  "object": {
    "sha": "c65c819552d16ad3c9b72d9dfd5ba5237b9c906b",
    "type": "commit",
    "url": "https://api.github.com/repos/arduino/setup-protoc/git/commits/c65c819552d16ad3c9b72d9dfd5ba5237b9c906b"
  },
  "tag": "v3.0.0",
  "message": "v3.0.0\n-----BEGIN SSH SIGNATURE-----\nU1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgoNtlU6pK7Wh241mMrnFjDlk+OR\nS2JujVZ/sAQOKKylYAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5\nAAAAQHPo4pLagVKEc/TfXrhbtRZL8lEPVjVUnvH8nlbEGnmNXSCAZqjF2A39XbbSyQN46F\njVJyhvQqcN2oWHmDBrnAM=\n-----END SSH SIGNATURE-----\n",
  "verification": {
    "verified": true,
    "reason": "valid",
    "signature": "-----BEGIN SSH SIGNATURE-----\nU1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgoNtlU6pK7Wh241mMrnFjDlk+OR\nS2JujVZ/sAQOKKylYAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5\nAAAAQHPo4pLagVKEc/TfXrhbtRZL8lEPVjVUnvH8nlbEGnmNXSCAZqjF2A39XbbSyQN46F\njVJyhvQqcN2oWHmDBrnAM=\n-----END SSH SIGNATURE-----\n",
    "payload": "object c65c819552d16ad3c9b72d9dfd5ba5237b9c906b\ntype commit\ntag v3.0.0\ntagger Alessio Perugini \u003Calessioper.98@gmail.com\u003E 1706717221 +0100\n\nv3.0.0\n",
    "verified_at": "2024-11-06T14:52:49Z"
  }
}```

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$ git clone https://github.com/arduino/setup-protoc.git
$ cd setup-protoc
$ git show-ref --tags
...
e58d94cc5c94a8e49c8b747feac4b1c17f199561 refs/tags/v2.0.0
9389d971368b9729ed1c0c6d988ecff2a19a5c82 refs/tags/v2.1.0
f4d5893b897028ff5739576ea0409746887fa536 refs/tags/v3.0.0

Seems legit?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh, I see now. Those 3 aren't the actual commits but the tag/release objects. Your script probably looks up refs/tags/vX, and for a tag that ref points at a tag object not the commit, so one hop might be missing?

The actions/* ones are tags that point to the commits directly, so this seems to be the reason why these were weird.

Can we change to commit SHAs for these 3 as well to keep it consistent and make it easy for users to look up what we pin?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, exactly, it goes off the release tag.

I can change this, but I can't say for sure what Dependabot will do when it updates things.

Comment thread .github/workflows/rust.yml Outdated
- uses: actions/checkout@v2
- uses: actions-rs/toolchain@v1
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- uses: actions-rs/toolchain@56751392ac172fc3a68fef1413f507767ed5f563 # v1.0.6

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot find this SHA either in the original repository.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, I noticed this action is archived. Might be worth looking into a replacement.

Comment thread .github/workflows/rust.yml Outdated
key: cargo-index-${{ hashFiles('Cargo.toml') }}

- uses: actions-rs/cargo@v1
- uses: actions-rs/cargo@b0651d9f4d4983fd4cc8e94d927bdc0bb5566667 # v1.0.1

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cannot find this SHA either in the original repository.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same with this one, it's archived.

Pin GitHub actions for supply chain security.
* Mark dependabot config to be skipped by repo sync.

Signed-off-by: SuperQ <superq@gmail.com>
@SuperQ SuperQ force-pushed the superq/update_actions branch from 6f03238 to 5f6871e Compare July 7, 2026 11:27
@SuperQ SuperQ requested a review from krisztianfekete July 7, 2026 11:29
@krisztianfekete krisztianfekete added this pull request to the merge queue Jul 7, 2026
Merged via the queue into master with commit 44a1f8b Jul 7, 2026
19 checks passed
@krisztianfekete krisztianfekete deleted the superq/update_actions branch July 7, 2026 12:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants