Skip to content

Pin GitHub Actions to full-length commit SHAs#9

Open
danfiedler-msft wants to merge 1 commit into
mainfrom
danfiedler-msft/pin-actions
Open

Pin GitHub Actions to full-length commit SHAs#9
danfiedler-msft wants to merge 1 commit into
mainfrom
danfiedler-msft/pin-actions

Conversation

@danfiedler-msft

Copy link
Copy Markdown
Collaborator

Summary

This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility.

Why?

Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.

What changed?

All third-party action references in .github/workflows/ have been updated from tag-based references (e.g., actions/checkout@v4) to SHA-pinned references with a version comment (e.g., actions/checkout@<sha> # v4).

Is this safe to merge?

Yes. The pinned SHAs correspond to the same commits that the existing tags pointed to. No behavioral changes are introduced.


Generated by pinact

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant