From 0e5c752001a14c60ec1094db09e745b2d7399a05 Mon Sep 17 00:00:00 2001 From: Dan Potepa Date: Tue, 14 Jul 2026 13:36:20 +0100 Subject: [PATCH] Pin versions of GitHub Actions to full commit hash ## What? This PR pins versions of GitHub Actions to full commit hash by pinact. In general, this PR doesn't change the behavior of the workflows, so you can merge this safely. ## Why? A while ago, the popular GitHub Action tj-actions/changed-files action was compromised. - https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised All tags were tampered and they pointed to a revision with malicious code. The issue was solved, but similar issues could happen again. To avoid this kind of issues, we should pin versions of GitHub Actions. This is a common practice of GitHub Actions. https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions > Pin actions to a full length commit SHA > Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. > Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. > When selecting a SHA, you should verify it is from the action's repository and not a repository fork. ## How was this pull request created? This pull request was created by [pinact](https://github.com/suzuki-shunsuke/pinact) and [multi-gitter](https://github.com/lindell/multi-gitter). ## Deadling We will be turning on a global setting that will ENFORCE that all actions can only use pinned versions, if others are in use, the workflow will fail ## Contact If you have any question, please ask at the Slack channel #tech-platform --- .github/workflows/gh-release.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- .github/workflows/release.yml | 2 +- .github/workflows/test.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/gh-release.yml b/.github/workflows/gh-release.yml index 1564622..9bac2f7 100644 --- a/.github/workflows/gh-release.yml +++ b/.github/workflows/gh-release.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup git run: | git config user.email "developers@messagebird.com" @@ -24,7 +24,7 @@ jobs: export TAG=$(head -1 CHANGELOG.tmp | cut -d' ' -f2) echo "TAG=$TAG" >> $GITHUB_ENV - name: Create Release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index e8b9a99..d723929 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,9 +9,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@50fbc622fc4ef5163becd7fab6573eac35f8462e # v1.2.0 - name: Publish gem - uses: dawidd6/action-publish-gem@v1 + uses: dawidd6/action-publish-gem@c4713bf1595e0686322d6cf6c1a1c0dcaeca55de # v1.2.0 with: api_key: ${{secrets.RUBYGEMS_API_KEY}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba9f076..4cb001b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,7 +43,7 @@ jobs: export NEW_VERSION=$(semver bump ${{ env.RELEASE }} $CURRENT) echo "VERSION=$NEW_VERSION" >> $GITHUB_ENV - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Setup git run: | git config user.email "developers@messagebird.com" diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 75cdd09..3158b1f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,10 +14,10 @@ jobs: ruby-version: [ "3.0.7", "3.1.6", "3.2.6", "3.3.7", "3.4.1" ] steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 - name: Set up Ruby ${{ matrix.ruby-version }} - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@6e5d382445ae5590b7449d8b3bc8cb1c2c27f617 # v1.317.0 with: ruby-version: ${{ matrix.ruby-version }} bundler-cache: true # runs 'bundle install' and caches installed gems automatically