Pin GitHub Actions to specific commit SHAs (DRIVER-583)#873
Merged
nikagra merged 1 commit intoscylladb:scylla-3.xfrom Apr 22, 2026
Merged
Pin GitHub Actions to specific commit SHAs (DRIVER-583)#873nikagra merged 1 commit intoscylladb:scylla-3.xfrom
nikagra merged 1 commit intoscylladb:scylla-3.xfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Pins third-party GitHub Actions in this repository’s workflows to immutable commit SHAs to reduce supply-chain risk, and documents how to maintain those pins going forward.
Changes:
- Replace mutable
uses: ...@v*action references with full commit SHAs (with inline version comments) across the updated workflows. - Add contributor documentation describing the pinning rationale and update procedure (including allowlist/update steps).
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
CONTRIBUTING.md |
Adds guidance on why/how workflow action SHAs are pinned and how to update them. |
.github/workflows/tests@v1.yml |
Pins all referenced actions (checkout, setup-java/python, cache restore/save, upload-artifact, junit report) to full SHAs. |
.github/workflows/tests-reports@v1.yml |
Pins dorny/test-reporter to a specific SHA. |
.github/workflows/tests-reports-4x@v1.yml |
Pins dorny/test-reporter to a specific SHA for the 4.x reports workflow. |
.github/workflows/release.yml |
Pins checkout/setup-java/upload-artifact actions to full SHAs. |
.github/workflows/docs-pr.yaml |
Pins checkout/setup-python/setup-java actions to full SHAs for docs PR builds. |
.github/workflows/docs-pages.yaml |
Pins checkout/setup-python/setup-java actions to full SHAs for docs publishing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dkropachev
approved these changes
Apr 21, 2026
Replace all third-party action version tags (e.g. @v4, @v5) with immutable commit SHAs to reduce supply chain attack surface. Version tags are mutable and can be redirected to malicious code; SHAs are permanent. The pinned versions are: actions/checkout v4.3.1 34e114876b0b11c390a56381ad16ebd13914f8d5 actions/checkout v5.0.1 93cb6efe18208431cddfb8368fd83d5badbf9bfd actions/setup-java v5.2.0 be666c2fcd27ec809703dec50e508c2fdc7f6654 actions/setup-python v5.6.0 a26af69be951a213d495a4c3e4e4022e16d87065 actions/setup-python v6.2.0 a309ff8b426b58ec0e2a45f0f869d46889d02405 actions/cache (restore/save) v4.3.0 0057852bfaa89a56745cba8c7296529d2fc39830 actions/upload-artifact v4.6.2 ea165f8d65b6e75b540449e92b4886f43607fa02 mikepenz/action-junit-report v5.6.2 3585e9575db828022551b4231f165eb59a0e74e3 dorny/test-reporter v1 3eeb9fc888e82e8be2fb356bbeec2750231672bc Also adds a section to CONTRIBUTING.md explaining how to safely update pinned actions in the future (find SHA for tag, verify no impostor commit, update workflow files and repo settings allowlist). Closes: DRIVER-583 Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
nikagra
force-pushed
the
pin-github-actions-to-sha-3x
branch
from
a638dd1 to
0ffdf00
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes DRIVER-583 / part of DRIVER-515.
Replaces all third-party GitHub Action version tags (e.g.
@v4,@v5) with immutable full commit SHAs across all 6 workflow files on thescylla-3.xbranch. This reduces the supply chain attack surface: mutable tags can be silently redirected to malicious code, while a pinned SHA is permanent.Pinned versions
actions/checkout34e114876b0b11c390a56381ad16ebd13914f8d5actions/checkout93cb6efe18208431cddfb8368fd83d5badbf9bfdactions/setup-javabe666c2fcd27ec809703dec50e508c2fdc7f6654actions/setup-pythona26af69be951a213d495a4c3e4e4022e16d87065actions/setup-pythona309ff8b426b58ec0e2a45f0f869d46889d02405actions/cache(restore/save)0057852bfaa89a56745cba8c7296529d2fc39830actions/upload-artifactea165f8d65b6e75b540449e92b4886f43607fa02mikepenz/action-junit-report3585e9575db828022551b4231f165eb59a0e74e3dorny/test-reporter3eeb9fc888e82e8be2fb356bbeec2750231672bcNote: two actions have different versions across files (docs workflows use older
checkout@v4/setup-python@v5while the tests workflow uses@v5/@v6). Both are pinned to their respective SHAs without upgrading versions.Files changed
.github/workflows/docs-pages.yaml.github/workflows/docs-pr.yaml.github/workflows/release.yml.github/workflows/tests@v1.yml.github/workflows/tests-reports@v1.yml.github/workflows/tests-reports-4x@v1.ymlCONTRIBUTING.md— added section explaining how to update pinned actions in the futureRequired follow-up (manual, needs repo admin)
Update
Settings -> Actions -> General -> Allow or block specified actions and reusable workflowsto allowlist the pinned SHAs:Reference implementation: scylladb/nodejs-rs-driver#430