Pin GitHub Actions #14332

maennchen · 2025-03-17T11:02:43Z

Change

This PR pins all GH Actions to a specific commit sha.

All actions invocations are written as uses: [REPO]/[NAME]@[SHA] # [VERSION]. This is supported by dependabot and it will automatically create PRs with both the SHA and version change in the comment.

Reason

As seen with tj-actions/changed-files last week, any version (even if using a tag) can compromise a repository. The only way to prevent this, is to pin the version to a specific SHA.

This is also recommended by ScoreCard: https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies

Recommendation

This will potentially create a lot of dependabot update PRs with the current configuration. In the projects I maintain and pinned the dependencies, I added a grouping rule to reduce the noise:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        applies-to: version-updates
        patterns:
          - "*"

josevalim · 2025-03-17T13:25:24Z

💚 💙 💜 💛 ❤️

josevalim closed this Mar 17, 2025

josevalim reopened this Mar 17, 2025

Pin GitHub Actions

e039e0d

maennchen force-pushed the jm/pin_github_actions branch from 66e5d26 to e039e0d Compare March 17, 2025 12:14

josevalim merged commit 6cd8082 into elixir-lang:main Mar 17, 2025
8 of 10 checks passed

maennchen deleted the jm/pin_github_actions branch March 17, 2025 13:26

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Pin GitHub Actions #14332

Pin GitHub Actions #14332

Uh oh!

maennchen commented Mar 17, 2025

Uh oh!

josevalim commented Mar 17, 2025

Uh oh!

Uh oh!

Uh oh!

Pin GitHub Actions #14332

Pin GitHub Actions #14332

Uh oh!

Conversation

maennchen commented Mar 17, 2025

Change

Reason

Recommendation

Uh oh!

josevalim commented Mar 17, 2025

Uh oh!

Uh oh!

Uh oh!