Skip to content

Pin GitHub Action references to commit SHAs#445

Merged
thpierce merged 2 commits intomasterfrom
pin-github-actions-sha
Mar 18, 2026
Merged

Pin GitHub Action references to commit SHAs#445
thpierce merged 2 commits intomasterfrom
pin-github-actions-sha

Conversation

@thpierce
Copy link
Contributor

@thpierce thpierce commented Mar 18, 2026
edited
Loading

Summary

Pin all GitHub Action references in workflow files to full-length commit SHAs to protect against supply-chain attacks (tag/branch mutation, upstream compromises). A static code check job was also added to pr-build.yml to verify pinned actions going forward.

Changes

Action Pinned SHA Version
actions/checkout 50fbc622fc4ef5163becd7fab6573eac35f8462e v1.2.0
actions/checkout ee0669bd1cc54295c223e0bb666b733df41de1c5 v2.7.0
actions/setup-java b6e674f4b717d7b0ae3baee0fbe79f498905dfde v1.4.4
actions/cache 0057852bfaa89a56745cba8c7296529d2fc39830 v4.3.0
actions/upload-artifact ea165f8d65b6e75b540449e92b4886f43607fa02 v4.6.2
actions/create-release 0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e v1.1.4
aws-actions/configure-aws-credentials 7474bc4690e29a8392af63c5b98e7449536d5c3a v4.3.1
codecov/codecov-action 29386c70ef20e286228c72b668a06fd0e8399192 v1.5.2

Static Code Check

A new static-code-check job was added to pr-build.yml that validates all GitHub Action uses: references are pinned to full 40-character commit SHAs, preventing unpinned references from being merged.

@thpierce thpierce requested a review from a team as a code owner March 18, 2026 17:00
github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 18, 2026
View reviewed changes
.github/workflows/pr-build.yml
Comment on lines +66 to +88
runs-on: ubuntu-latest
steps:

- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #5.0.0
with:
fetch-depth: 0
- name: Check for versioned GitHub actions
if: always()
run: |
# Get changed GitHub workflow/action files
CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)

if [ -n "$CHANGED_FILES" ]; then
# Check for any versioned actions, excluding comments and this validation script
VIOLATIONS=$(grep -Hn "uses:.*@v" $CHANGED_FILES | grep -v "grep.*uses:.*@v" | grep -v "#.*@v" || true)
if [ -n "$VIOLATIONS" ]; then
echo "Found versioned GitHub actions. Use commit SHAs instead:"
echo "$VIOLATIONS"
exit 1
fi
fi

echo "No versioned actions found in changed files" No newline at end of file

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI about 17 hours ago

  • In general, the fix is to explicitly specify a permissions block at the job or workflow level, restricting the GITHUB_TOKEN to only what the job needs, typically contents: read for read-only workflows.
  • For this workflow, the static-code-checks job only needs to check out code and run git/grep locally. It does not push changes, create releases, or modify issues/PRs. So we should add permissions: contents: read to that job. This mirrors the existing restriction already present on the build job (lines 10–11).
  • Concretely, in .github/workflows/pr-build.yml, under jobs: static-code-checks:, add a permissions: block at the same indentation level as runs-on. For example, between lines 65 and 66, insert: 
    permissions:
  contents: read
  • No extra imports or methods are required; this is purely a YAML configuration change within the workflow.
Suggested changeset 1
.github/workflows/pr-build.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -63,6 +63,8 @@
           path: jacoco/build/reports/jacoco/codeCoverageReport/html
 
   static-code-checks:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
 
EOF
@@ -63,6 +63,8 @@
path: jacoco/build/reports/jacoco/codeCoverageReport/html

static-code-checks:
permissions:
contents: read
runs-on: ubuntu-latest
steps:

Copilot is powered by AI and may make mistakes. Always verify output.
@thpierce thpierce merged commit 89b1eab into master Mar 18, 2026
8 checks passed
@thpierce thpierce deleted the pin-github-actions-sha branch March 18, 2026 22:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thpierce