Skip to content

Pin third-party GitHub Actions to commit SHAs#109

Merged
andrea-sdl merged 2 commits into
productionfrom
gha-pin/third-party-sha-pinning
Jun 9, 2026
Merged

Pin third-party GitHub Actions to commit SHAs#109
andrea-sdl merged 2 commits into
productionfrom
gha-pin/third-party-sha-pinning

Conversation

@mahangu

@mahangu mahangu commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Pins GitHub Actions in this repo to immutable commit SHAs.

This PR was prepared with agent assistance and manually verified.

Tracking: DEVPROD-1072

Why

Tag references like actions/checkout@v6 are mutable — a tag can be moved to point at different code after review. Pinning each action to a full 40-character commit SHA (with a trailing # vX.Y.Z comment for readability) makes the supply chain immutable and auditable. Grouped Dependabot updates keep the pins current.

Verification

For each pinned action below, the gh api call returns the commit SHA the tag currently points to; it must match the SHA in the workflow file.

# Confirm each pinned action's SHA matches its trailing version comment, e.g.:
#   gh api repos/<owner>/<repo>/commits/<vX.Y.Z> --jq .sha
# (one call per pinned action; the SHA must match the workflow file)

Re-scan the repo for any remaining unpinned references in scope (should print nothing):

grep -rn 'uses:' .github | grep -v '@[0-9a-f]\{40\}'

@mahangu mahangu self-assigned this Jun 9, 2026
@mahangu mahangu marked this pull request as ready for review June 9, 2026 03:16
Copilot AI review requested due to automatic review settings June 9, 2026 03:16
@mahangu mahangu requested review from kat3samsin and removed request for abdullah-kasim and brunobasto June 9, 2026 03:17
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins a third-party GitHub Action reference to an immutable commit SHA to improve workflow supply-chain integrity (DEVPROD-1072).

Changes:

  • Pin php-actions/composer in the unit test workflow to a specific commit SHA (with a version comment).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/unit-tests.yml
key: ${{ runner.os }}-${{ hashFiles('**/composer.lock') }}

- uses: php-actions/composer@v6
- uses: php-actions/composer@8a65f0d3c6a1d17ca4800491a40b5756a4c164f3 # v6.1.2
@mahangu mahangu marked this pull request as draft June 9, 2026 03:21
@mahangu mahangu marked this pull request as ready for review June 9, 2026 03:22
@andrea-sdl andrea-sdl merged commit 3a5a2bc into production Jun 9, 2026
25 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@andrea-sdl andrea-sdl andrea-sdl approved these changes

@kat3samsin kat3samsin Awaiting requested review from kat3samsin

Assignees

@mahangu mahangu

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mahangu @andrea-sdl