Pin all workflow actions to commit SHA1 hashes#558
Merged
fabiocaccamo merged 2 commits intomainfrom Apr 12, 2026
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #558 +/- ##
=======================================
Coverage 97.65% 97.65%
=======================================
Files 63 63
Lines 2298 2298
=======================================
Hits 2244 2244
Misses 54 54
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Agent-Logs-Url: https://github.com/fabiocaccamo/python-benedict/sessions/86292ea2-ba1b-4685-9eb6-680506475704 Co-authored-by: fabiocaccamo <1035294+fabiocaccamo@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Pin all workflows actions at version commit sha1
Pin all workflow actions to commit SHA1 hashes
Apr 10, 2026
fabiocaccamo
approved these changes
Apr 12, 2026
fabiocaccamo
added
dependencies
There was a problem hiding this comment.
Pull request overview
This PR hardens the repository’s GitHub Actions supply chain by replacing mutable action version tags with immutable commit SHA pins (while retaining the original versions as inline comments) across the existing workflows.
Changes:
- Pinned commonly used marketplace actions (checkout/setup-python/codecov/etc.) to full commit SHA1s in all workflows under
.github/workflows/. - Preserved prior version tags as inline comments for readability/auditability.
- Updated release, scorecard, test, and pre-commit auto-update workflows consistently.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/test-package.yml | Pin action references for checkout/setup-python/codecov in the test workflow. |
| .github/workflows/pre-commit-autoupdate.yml | Pin action references for checkout/setup-python/pre-commit autoupdate/create-pull-request. |
| .github/workflows/create-release.yml | Pin action references used for release creation and PyPI publishing. |
| .github/workflows/scorecard.yml | Pin action references for checkout/scorecard/upload-sarif. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
24
to
+29
| steps: | ||
|
|
||
| - uses: actions/checkout@v6 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | ||
|
|
||
| - name: Set up Python ${{ matrix.python-version }} | ||
| uses: actions/setup-python@v6 | ||
| uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace mutable version tags with immutable commit SHA1 pins across all GitHub Actions workflows, mitigating supply chain attacks where a tag could be silently redirected to malicious code. Version tags are preserved as inline comments for readability.
Changes by file
.github/workflows/test-package.yml— pinnedactions/checkout,actions/setup-python,codecov/codecov-action.github/workflows/pre-commit-autoupdate.yml— pinnedactions/checkout,actions/setup-python,browniebroke/pre-commit-autoupdate-action,peter-evans/create-pull-request.github/workflows/create-release.yml— pinnedactions/checkout,actions/setup-python,ffurrer2/extract-release-notes,ncipollo/release-action,pypa/gh-action-pypi-publish.github/workflows/scorecard.yml— pinnedactions/checkout,ossf/scorecard-action,github/codeql-action/upload-sarifExample of the pin format used:
Related issue
?
Checklist before requesting a review
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/repos/ncipollo/release-action/git/refs/tags/v1/usr/bin/curl curl -s REDACTED(http block)If you need me to access, download, or install something from one of these locations, you can either: