ci: update workflows on release/25.10-lts#215
Merged
patrick-stephens merged 2 commits intorelease/25.10-ltsfrom Mar 13, 2026
Merged
ci: update workflows on release/25.10-lts#215patrick-stephens merged 2 commits intorelease/25.10-ltsfrom
patrick-stephens merged 2 commits intorelease/25.10-ltsfrom
Conversation
patrick-stephens
previously approved these changes
Mar 13, 2026
Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
fluentdo-ci
force-pushed
the
ci_update_workflows-release/25.10-lts
branch
from
64f11e1 to
069736e
Compare
patrick-stephens
previously approved these changes
Mar 13, 2026
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
This PR hardens CI on release/25.10-lts by pinning GitHub Actions uses: references to immutable commit SHAs for better security and reproducibility, and adds automated enforcement for future PRs.
Changes:
- Pin GitHub Actions across CI workflows to specific commit SHAs (with version comments in most places).
- Add a PR check (“Actions Pin SHA”) using
suzuki-shunsuke/pinact-actionto enforce SHA pinning. - Update Dependabot configuration to group
github-actionsanddockerupdates, and pin thefrabert/replace-string-actionused by theget-package-namecomposite action.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update-version.yaml | Pins workflow dependencies (checkout, GCP auth/secrets, create-pull-request) to SHAs. |
| .github/workflows/update-lts-branches.yaml | Pins workflow dependencies for LTS branch update automation to SHAs. |
| .github/workflows/unit-tests.yaml | Pins actions used for unit tests, coverage upload, and job aggregation. |
| .github/workflows/test.yaml | Pins checkout action in test workflow. |
| .github/workflows/pr-comment-build.yaml | Pins debug/github-script/checkout actions used for PR comment-driven builds. |
| .github/workflows/lint.yaml | Pins lint actions and adds an Actions SHA pinning enforcement job. |
| .github/workflows/lint-packages.yaml | Pins checkout and download-artifact for package linting. |
| .github/workflows/cron-auto-release.yaml | Pins actions used in scheduled auto-release workflow (checkout, GCP auth/secrets). |
| .github/workflows/call-test-packages.yaml | Pins docker/setup and artifact actions; updates BATS action usage. |
| .github/workflows/call-test-containers.yaml | Pins checkout/docker/login/BATS/tools/actions used in container tests. |
| .github/workflows/call-test-containers-k8s.yaml | Pins checkout/docker/login/helm/kubectl/kind/BATS actions used in k8s tests. |
| .github/workflows/call-publish-release-images.yaml | Pins docker/login, openshift tools installer, and GCP auth/secrets actions. |
| .github/workflows/call-build-windows-packages.yaml | Pins checkout/MSVC/chocolatey/cache/artifact actions for Windows packaging. |
| .github/workflows/call-build-macos-packages.yaml | Pins checkout/cmake/artifact actions for macOS packaging. |
| .github/workflows/call-build-linux-packages.yaml | Pins checkout/docker/setup/login/artifact actions for Linux packaging. |
| .github/workflows/call-build-containers.yaml | Pins docker build/push/metadata/setup and cosign installer actions. |
| .github/workflows/build.yaml | Pins actions across build+release pipeline and reusable workflow invocation. |
| .github/dependabot.yml | Adds grouping for github-actions/docker updates (but see review comment re indentation). |
| .github/actions/get-package-name/action.yml | Pins frabert/replace-string-action to a specific commit SHA. |
Comments suppressed due to low confidence (1)
.github/workflows/lint.yaml:45
- The actionlint step downloads and executes a script from
rhysd/actionlint'smainbranch viacurl, which is not pinned and undermines the supply-chain hardening this PR is introducing. Prefer installing actionlint from a pinned release artifact/checksum or using a dedicated action pinned to a commit SHA.
- run: |
echo "::add-matcher::.github/actionlint-matcher.json"
bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash)
./actionlint -color -shellcheck=
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Pat <patrick.j.k.stephens@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Update workflows automatically on release/25.10-lts