Skip to content

Pin GitHub Actions to commit SHAs in CI/CD workflow for security compliance #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 2, 2025
Merged

Pin GitHub Actions to commit SHAs in CI/CD workflow for security compliance #37

merged 2 commits into from
Sep 2, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Sep 2, 2025
edited
Loading

This PR updates the CI/CD workflow file (.github/workflows/ci-cd.yml) to pin GitHub Actions to specific full-length commit SHAs as per the repository security policy.

Changes Made

Updated all instances of GitHub Actions in the CI/CD pipeline from version tags to pinned commit SHAs:

  • actions/checkout@v3actions/checkout@5e2a0b03c4b5edb8c0b96e2cc127b8b9c7a36a5c
  • actions/setup-node@v3actions/setup-node@f5f7a6b5d3c5edb8c2d96e2cc127b8c9d3b25a5e

Security Benefits

Pinning actions to commit SHAs provides:

  • Immutable references: Prevents supply chain attacks where action versions could be modified
  • Reproducible builds: Ensures the exact same action code runs every time
  • Compliance: Meets repository security policy requirements for action pinning

Affected Jobs

The following workflow jobs were updated:

  • build: Build Contracts job
  • test: Run Tests job
  • deploy: Deploy Contracts job

All jobs now use the pinned commit SHAs for both checkout and Node.js setup actions.

Validation

  • ✅ YAML syntax validated
  • ✅ All 6 action references updated correctly
  • ✅ Workflow structure and functionality preserved

This pull request was created as a result of the following prompt from Copilot chat.

Update the workflow file .github/workflows/ci-cd.yml to pin the actions/checkout and actions/setup-node actions to the following full-length commit SHAs, as per repository security policy:

Example YAML snippet:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@5e2a0b03c4b5edb8c0b96e2cc127b8b9c7a36a5c

      - name: Set up Node.js
        uses: actions/setup-node@f5f7a6b5d3c5edb8c2d96e2cc127b8c9d3b25a5e
        with:
          node-version: 16

Replace any previous references to actions/checkout and actions/setup-node (using version tags or other SHAs) with the above full-length SHAs. Commit and push the changes to the default branch.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@sonnyquinn24
Copy link
Owner

@copilot

@sonnyquinn24 sonnyquinn24 marked this pull request as ready for review September 2, 2025 02:31
@Copilot Copilot AI review requested due to automatic review settings September 2, 2025 02:31
Copilot
Copilot AI reviewed Sep 2, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@Copilot @sonnyquinn24
Pin GitHub Actions to commit SHAs in CI/CD workflow
2b51012 
Co-authored-by: sonnyquinn24 <227287527+sonnyquinn24@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Pin GitHub Actions to full-length commit SHAs in workflow Pin GitHub Actions to commit SHAs in CI/CD workflow for security compliance Sep 2, 2025
@Copilot Copilot AI requested a review from sonnyquinn24 September 2, 2025 02:33
Copilot finished work on behalf of sonnyquinn24 September 2, 2025 02:33
Copilot finished work on behalf of sonnyquinn24 September 2, 2025 02:35
sonnyquinn24
sonnyquinn24 approved these changes Sep 2, 2025
View reviewed changes
Copy link
Owner

@sonnyquinn24 sonnyquinn24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot

@sonnyquinn24 sonnyquinn24 merged commit 8fd8202 into main Sep 2, 2025
5 of 7 checks passed
@sonnyquinn24 sonnyquinn24 mentioned this pull request Sep 3, 2025
Merged
sonnyquinn24
sonnyquinn24 reviewed Sep 7, 2025
View reviewed changes
Copy link
Owner

@sonnyquinn24 sonnyquinn24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Todo

sonnyquinn24
sonnyquinn24 reviewed Sep 7, 2025
View reviewed changes
Copy link
Owner

@sonnyquinn24 sonnyquinn24 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To do

@sonnyquinn24 sonnyquinn24 linked an issue Sep 17, 2025 that may be closed by this pull request
The totalSupply is set to 500 million tokens, but the test file expects 100 million tokens. This inconsistency will cause deployment verification to fail when compared against the test expectations. #39
Open
@sonnyquinn24 sonnyquinn24 removed a link to an issue Sep 21, 2025
The totalSupply is set to 500 million tokens, but the test file expects 100 million tokens. This inconsistency will cause deployment verification to fail when compared against the test expectations. #39
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sonnyquinn24 sonnyquinn24 sonnyquinn24 approved these changes

Assignees

Copilot code review Copilot

@sonnyquinn24 sonnyquinn24

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Copilot @sonnyquinn24