Skip to content

Consistently use SHAs to reference GitHub-managed actions#50876

Open
XananasX7 wants to merge 1 commit into
spring-projects:mainfrom
XananasX7:fix/pin-actions-1782620192
Open

Consistently use SHAs to reference GitHub-managed actions#50876
XananasX7 wants to merge 1 commit into
spring-projects:mainfrom
XananasX7:fix/pin-actions-1782620192

Conversation

@XananasX7

Copy link
Copy Markdown

Pin unpinned GitHub Actions to immutable commit SHAs. Defense against supply-chain attacks via mutable tags. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin unpinned action references to immutable commit SHAs.
Version tags retained as inline comments.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jun 28, 2026
@wilkinsona

Copy link
Copy Markdown
Member

These are first-party GitHub-managed actions, not third-party actions. That said, we use SHAs in other places when using first-party actions so these changes are worth making for consistency if nothing else. Please update your commit to address the DCO check failure.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Jul 2, 2026
@wilkinsona wilkinsona changed the title ci: pin GitHub Actions to full commit SHAs Consistently use SHAs to reference GitHub-managed actions Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

status: waiting-for-feedback We need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants