Skip to content

Pin GitHub Actions to commit SHAs#55

Merged
djacu merged 2 commits into
mainfrom
harden/sha-pin-actions
Jul 6, 2026
Merged

Pin GitHub Actions to commit SHAs#55
djacu merged 2 commits into
mainfrom
harden/sha-pin-actions

Conversation

@djacu

@djacu djacu commented Jul 6, 2026

Copy link
Copy Markdown
Member

What

Pins every external GitHub Actions reference to a full-length commit SHA, each annotated with a standard # vX.Y.Z version comment. Resolves all unpinned-uses findings from zizmor (19 → 0).

Covered:

  • All four workflows: check.yml, release-guide.yml, netlify-deploy.yml, release-npm-package.yaml
  • The setup-nix composite action

Also in this PR:

  • Normalized the four references that were already SHA-pinned from the non-standard # was vN comment to the standard # vX.Y.Z form.
  • Corrected marocchino/sticky-pull-request-comment: its pinned SHA is actually v3.0.4, but it was labeled # was v2.
  • Updated .github/dependabot.yml so the composite action is covered too (see below).

Each SHA was resolved from the tag it was previously pinned to, so the running versions are unchanged. Every pin was verified with pinact --check and by independently re-resolving each SHA from its version tag.

Why

A version tag like @v7 is mutable — the action owner (or an attacker who compromises the action's repository or account) can repoint it to different code. Pinning to a commit SHA makes each reference immutable.

Dependabot

Dependabot updates SHA-pinned actions (it bumps both the SHA and the version comment), so these stay maintained automatically.

A plain directory: "/" config does not scan composite action.yml files (dependabot-core#6704). This PR works around that by switching .github/dependabot.yml to the directories: form with a /.github/actions/* glob, so the two actions in setup-nix/action.yml are updated too.

Verification

  • actionlint: clean
  • zizmor: unpinned-uses 19 → 0 (the remaining zizmor findings are pre-existing and out of scope for this PR)

djacu added 2 commits July 5, 2026 19:49
Pin every external action reference to a full-length commit SHA with a
standard "# vX.Y.Z" version comment, so a moved or repointed tag cannot
change what runs. Covers all four workflows and the setup-nix composite
action.

Also normalize the four already-pinned actions from the non-standard
"# was vN" comment to the standard "# vX.Y.Z" form, and correct
sticky-pull-request-comment (its pinned SHA is v3.0.4, was mislabeled
"# was v2").

Each SHA was resolved from the tag it was previously pinned to, so the
running versions are unchanged.

Verified: actionlint clean; zizmor unpinned-uses findings 19 -> 0.
Switch the github-actions update from directory: "/" to the directories
form with a "/.github/actions/*" glob so Dependabot also scans composite
action.yml files. Without this, the actions pinned in
.github/actions/setup-nix/action.yml would never be updated.

dependabot/dependabot-core#6704
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: 24c9e2530a6ec67179770159911db164a03a5dd4 (current main tip when this ran)
  • After: b80f408b89de71da8aa099dcd0feb197eae34658 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 8118835 into main Jul 6, 2026
6 checks passed
@djacu djacu deleted the harden/sha-pin-actions branch July 6, 2026 03:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant