From fa8cc79e4d792caa57888292f0a6227d53707878 Mon Sep 17 00:00:00 2001 From: Dan Potepa Date: Tue, 14 Jul 2026 13:36:06 +0100 Subject: [PATCH] Pin versions of GitHub Actions to full commit hash ## What? This PR pins versions of GitHub Actions to full commit hash by pinact. In general, this PR doesn't change the behavior of the workflows, so you can merge this safely. ## Why? A while ago, the popular GitHub Action tj-actions/changed-files action was compromised. - https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised All tags were tampered and they pointed to a revision with malicious code. The issue was solved, but similar issues could happen again. To avoid this kind of issues, we should pin versions of GitHub Actions. This is a common practice of GitHub Actions. https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions > Pin actions to a full length commit SHA > Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. > Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. > When selecting a SHA, you should verify it is from the action's repository and not a repository fork. ## How was this pull request created? This pull request was created by [pinact](https://github.com/suzuki-shunsuke/pinact) and [multi-gitter](https://github.com/lindell/multi-gitter). ## Deadling We will be turning on a global setting that will ENFORCE that all actions can only use pinned versions, if others are in use, the workflow will fail ## Contact If you have any question, please ask at the Slack channel #tech-platform --- .github/workflows/release.yml | 4 ++-- .github/workflows/test.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 38ab6f7..43dff3d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,11 +9,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 14 - name: Install dependencies diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d2e148f..8837695 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -6,11 +6,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - name: Setup Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1 with: node-version: 14 - name: Install dependencies