Skip to content

Pin GitHub Actions to full-length commit SHAs#88

Merged
miguelcalderon merged 1 commit into
mainfrom
miguel/pin-actions-sha
Jun 8, 2026
Merged

Pin GitHub Actions to full-length commit SHAs#88
miguelcalderon merged 1 commit into
mainfrom
miguel/pin-actions-sha

Conversation

@miguelcalderon
Copy link
Copy Markdown
Contributor

@miguelcalderon miguelcalderon commented Jun 8, 2026
edited
Loading

Context: https://pspdfkit.slack.com/archives/C03LUSTQYTF/p1780907940938109?thread_ts=1780905830.180029&cid=C03LUSTQYTF

Summary

Remediates GitHub Actions supply-chain risk by replacing mutable major-version tags on external actions with verified full-length commit SHAs resolved from each action's official upstream repository.

Each pin stays within the same major version that was previously floating, so no major-version upgrade occurs and workflow behavior is preserved.

Actions pinned

Action (old ref) New full SHA Tag Notes
actions/checkout@v4 34e114876b0b11c390a56381ad16ebd13914f8d5 v4.3.1 lightweight tag
biomejs/setup-biome@v2 4c91541eaada48f67d7dbd7833600ce162b68f51 v2.7.1 annotated tag → peeled commit pinned
actions/setup-node@v4 49933ea5288caeca8642d1e84afbd3f7d6820020 v4.4.0 lightweight tag
actions/upload-artifact@v4 ea165f8d65b6e75b540449e92b4886f43607fa02 v4.6.2 lightweight tag

Files changed

  • .github/workflows/biome.ymlactions/checkout, biomejs/setup-biome
  • .github/workflows/playwright.ymlactions/checkout, actions/setup-node, actions/upload-artifact

actions/checkout appeared in both workflows and was pinned to the same SHA in each.

Verification

Tags/SHAs resolved via git ls-remote --tags https://github.com/<owner>/<repo>.git against the official upstream repositories. The setup-biome tag is annotated, so the peeled refs/tags/v2.7.1^{} commit was pinned rather than the tag-object SHA.

🤖 Generated with Claude Code

@miguelcalderon @claude
Pin GitHub Actions to full-length commit SHAs
d806e2a 
Replace mutable major-version tags on external actions with verified
full-length commit SHAs from official upstream repositories to mitigate
supply-chain risk. Each pin stays within the same major version, so
workflow behavior is preserved.

- actions/checkout@v4        -> 34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- biomejs/setup-biome@v2     -> 4c91541eaada48f67d7dbd7833600ce162b68f51 # v2.7.1 (annotated tag, peeled commit)
- actions/setup-node@v4      -> 49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
- actions/upload-artifact@v4 -> ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@miguelcalderon miguelcalderon self-assigned this Jun 8, 2026
@miguelcalderon miguelcalderon marked this pull request as ready for review June 8, 2026 09:12
neonspectra
neonspectra approved these changes Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown

@neonspectra neonspectra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@miguelcalderon miguelcalderon merged commit 1129e9c into main Jun 8, 2026
3 checks passed
@miguelcalderon miguelcalderon deleted the miguel/pin-actions-sha branch June 8, 2026 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@neonspectra neonspectra neonspectra approved these changes

@sc0 sc0 Awaiting requested review from sc0 sc0 was automatically assigned from PSPDFKit/web

@iperzic iperzic Awaiting requested review from iperzic iperzic was automatically assigned from PSPDFKit/web

@vladimir-tikhonov-nutrient vladimir-tikhonov-nutrient Awaiting requested review from vladimir-tikhonov-nutrient vladimir-tikhonov-nutrient was automatically assigned from PSPDFKit/web

Assignees

@miguelcalderon miguelcalderon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@miguelcalderon @neonspectra