Skip to content

Pin SHA hashes of all actions via gha-tools command #1656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

Pin SHA hashes of all actions via gha-tools command #1656

merged 1 commit into from
Oct 13, 2025

Conversation

@maresb
Copy link
Contributor

@maresb maresb commented Oct 13, 2025
edited
Loading 

uvx gha-tools autoupdate ./.github/workflows/ --pin=all --version-strategy=specific --write

This is meant to satisfy zizmor as per the discussion in #1633.

This is considered a security best-practice. GitHub Actions is a huge supply-chain attack surface, and there are occasional compromises of Actions repositories. By pinning the SHA we create a clear record of which action version we're running, and also prevent random uncontrolled upgrades.

As for version upgrades, dependabot will take care of that, respecting the SHAs and version comments.

CC @Armavica

📚 Documentation preview 📚: https://pytensor--1656.org.readthedocs.build/en/1656/

@maresb maresb mentioned this pull request Oct 13, 2025
Closed
@maresb @jessegrabowski
Pin SHA hashes of all actions via gha-tools command
333cf99 
```bash
uvx gha-tools autoupdate ./.github/workflows/ --pin=all --version-strategy=specific --write
```
@codecov
Copy link

codecov bot commented Oct 13, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.56%. Comparing base (db5178b) to head (333cf99).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1656      +/-   ##
==========================================
- Coverage   81.56%   81.56%   -0.01%     
==========================================
  Files         242      242              
  Lines       53818    53819       +1     
  Branches     9485     9485              
==========================================
  Hits        43899    43899              
- Misses       7430     7431       +1     
  Partials     2489     2489
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jessegrabowski jessegrabowski merged commit 95acdb3 into pymc-devs:main Oct 13, 2025
61 checks passed
@maresb maresb deleted the pin-actions-by-sha branch October 14, 2025 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jessegrabowski jessegrabowski jessegrabowski approved these changes

Assignees

No one assigned

Labels

maintenance no releasenotes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maresb @jessegrabowski @ricardoV94