chore: pin GitHub Actions to commit SHA, remove pr-review workflow#13662
chore: pin GitHub Actions to commit SHA, remove pr-review workflow#13662
Conversation
- Pin all action references to full commit SHA instead of mutable version tags. Tag retained as inline comment for readability. - Remove pr-review.yml workflow. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
glours
force-pushed
the
hardening-gha-workflows
branch
from
4c2968c to
0d5cc3a
Compare
There was a problem hiding this comment.
Pull request overview
This PR hardens GitHub Actions security and reproducibility by pinning all referenced actions/reusable workflows to immutable commit SHAs, and removes the pr-review workflow.
Changes:
- Pin action references in existing workflows to full commit SHAs (with version tags kept as inline comments).
- Pin reusable workflow calls (e.g.,
docker/github-builder,docker/docs) to specific commit SHAs. - Remove the
.github/workflows/pr-review.ymlworkflow.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/stale.yml |
Pins actions/stale to a commit SHA. |
.github/workflows/pr-review.yml |
Removes the PR review automation workflow. |
.github/workflows/merge.yml |
Pins checkout/setup-go and reusable workflow/action invocations to SHAs. |
.github/workflows/docs-upstream.yml |
Pins checkout/upload-artifact and the docker/docs reusable workflow to SHAs. |
.github/workflows/ci.yml |
Pins all referenced actions/reusable workflows (checkout, buildx, artifacts, bake, codecov, etc.) to SHAs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - | ||
| name: Unit Test Summary | ||
| uses: test-summary/action@v2 | ||
| uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 | ||
| with: | ||
| paths: bin/coverage/unit/report.xml |
There was a problem hiding this comment.
There is trailing whitespace in this steps list item (the - line) and in the paths: value. Trailing spaces can cause noisy diffs and can break YAML/whitespace linters if enabled later; please remove the extra spaces and keep the list item marker formatting consistent with the rest of the file.
| uses: test-summary/action@v2 | ||
| uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86 # v2 | ||
| with: | ||
| paths: /tmp/report/report.xml |
There was a problem hiding this comment.
The paths: value here has trailing whitespace. Please trim it to avoid noisy diffs and potential YAML/whitespace lint failures.
| paths: /tmp/report/report.xml | |
| paths: /tmp/report/report.xml |
.github/workflows/ci.yml
Outdated
| - | ||
| name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 |
There was a problem hiding this comment.
Should we take the opportunity to update to current versions? (v6 or v6.0.2)? I think dependabot then also will update them.
(Not sure if the older versions use obsolete Node versions, so may become non-functional)
- actions/checkout v4 -> v6 - actions/upload-artifact v4/v6 -> v7 - actions/download-artifact v4/v7 -> v8 - docker/setup-buildx-action v3 -> v4 - docker/bake-action v6 -> v7 - actions/stale v9 -> v10 - actions/create-github-app-token v1 -> v3 - actions/github-script v7 -> v8 - ossf/scorecard-action v2.4.0 -> v2.4.3 - ncipollo/release-action v1.10.0 -> v1.21.0 - mxschmitt/action-tmate v3.11 -> v3.23 - codecov/codecov-action, test-summary/action, github/codeql-action: bump to latest patch Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Signed-off-by: Guillaume Lours <glours@users.noreply.github.com>
What I did
Related issue
N/A
(not mandatory) A picture of a cute animal, if possible in relation to what you did