Pin GitHub Actions to commit SHAs#55
Merged
Merged
Conversation
Pin every external action reference to a full-length commit SHA with a standard "# vX.Y.Z" version comment, so a moved or repointed tag cannot change what runs. Covers all four workflows and the setup-nix composite action. Also normalize the four already-pinned actions from the non-standard "# was vN" comment to the standard "# vX.Y.Z" form, and correct sticky-pull-request-comment (its pinned SHA is v3.0.4, was mislabeled "# was v2"). Each SHA was resolved from the tag it was previously pinned to, so the running versions are unchanged. Verified: actionlint clean; zizmor unpinned-uses findings 19 -> 0.
Switch the github-actions update from directory: "/" to the directories form with a "/.github/actions/*" glob so Dependabot also scans composite action.yml files. Without this, the actions pinned in .github/actions/setup-nix/action.yml would never be updated. dependabot/dependabot-core#6704
Artifact comparison0 modified · 0 added · 0 deleted · 96 unchanged Download report — HTML file; open in a browser. Compared
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Pins every external GitHub Actions reference to a full-length commit SHA, each annotated with a standard
# vX.Y.Zversion comment. Resolves allunpinned-usesfindings from zizmor (19 → 0).Covered:
check.yml,release-guide.yml,netlify-deploy.yml,release-npm-package.yamlsetup-nixcomposite actionAlso in this PR:
# was vNcomment to the standard# vX.Y.Zform.marocchino/sticky-pull-request-comment: its pinned SHA is actuallyv3.0.4, but it was labeled# was v2..github/dependabot.ymlso the composite action is covered too (see below).Each SHA was resolved from the tag it was previously pinned to, so the running versions are unchanged. Every pin was verified with
pinact --checkand by independently re-resolving each SHA from its version tag.Why
A version tag like
@v7is mutable — the action owner (or an attacker who compromises the action's repository or account) can repoint it to different code. Pinning to a commit SHA makes each reference immutable.Dependabot
Dependabot updates SHA-pinned actions (it bumps both the SHA and the version comment), so these stay maintained automatically.
A plain
directory: "/"config does not scan compositeaction.ymlfiles (dependabot-core#6704). This PR works around that by switching.github/dependabot.ymlto thedirectories:form with a/.github/actions/*glob, so the two actions insetup-nix/action.ymlare updated too.Verification
actionlint: cleanzizmor:unpinned-uses19 → 0 (the remaining zizmor findings are pre-existing and out of scope for this PR)