Skip to content

🧹 chore: Pin GitHub Action references in .github to immutable SHAs#10

Merged
ReneWerner87 merged 3 commits into
mainfrom
copilot/update-github-actions-to-sha
May 10, 2026
Merged

🧹 chore: Pin GitHub Action references in .github to immutable SHAs#10
ReneWerner87 merged 3 commits into
mainfrom
copilot/update-github-actions-to-sha

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 10, 2026

GitHub Actions under .github still referenced mutable tags and branch names. This updates workflow and composite action uses: references to commit SHAs so executions are deterministic while keeping the original ref visible in comments.

  • What changed

    • Pinned external actions in reusable workflows to full commit SHAs
    • Pinned internal gofiber/.github action references that previously used @main
    • Left already-pinned references unchanged

  • Where

    • .github/workflows/*
    • .github/actions/*/action.yml

  • Representative updates

    • actions/checkout@v6.0.2actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
    • github/codeql-action/init@v4github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
    • gofiber/.github/.github/actions/clean-release-notes@main...@2a2c623de2cfdc4c6b52ecf52907be260a01949b # main

  • Example

    - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6

Copilot AI and others added 2 commits May 10, 2026 15:27
@gaby gaby marked this pull request as ready for review May 10, 2026 15:30
Copilot AI review requested due to automatic review settings May 10, 2026 15:30
@gaby gaby changed the title Pin GitHub Action references in .github to immutable SHAs 🧹 chore: Pin GitHub Action references in .github to immutable SHAs May 10, 2026
Copilot AI reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub Actions uses: references under .github to immutable commit SHAs to make workflow/action execution deterministic and reduce supply-chain risk, while preserving the original tag/branch in comments.

Changes:

  • Updated multiple workflows to use commit-SHA-pinned references for actions/*, github/codeql-action/*, dorny/paths-filter, dependabot/fetch-metadata, and gofiber/multi-labeler.
  • Updated internal gofiber/.github action references from @main to a specific commit SHA.
  • Pinned actions/setup-go inside the clean-release-notes composite action to a commit SHA.

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/weekly-release.yml Pins external actions and internal clean-release-notes action reference to a SHA.
.github/workflows/sync-docs.yml Pins checkout/setup-node action references to SHAs.
.github/workflows/security-golang.yml Pins checkout and CodeQL action references to SHAs.
.github/workflows/go-lint-single.yml Pins checkout/setup-go/golangci-lint action references to SHAs.
.github/workflows/go-lint-multi.yml Pins checkout/paths-filter/setup-go/golangci-lint action references to SHAs.
.github/workflows/dependabot-on-demand.yml Pins checkout action reference to a SHA.
.github/workflows/dependabot-automerge.yml Pins dependabot/fetch-metadata action reference to a SHA.
.github/workflows/auto-labeler.yml Pins gofiber/multi-labeler action reference to a SHA.
.github/workflows/after-release.yml Pins internal trigger-dependabot action reference to a SHA.
.github/actions/cleanup-release-draft/action.yml Pins internal clean-release-notes action reference to a SHA.
.github/actions/clean-release-notes/action.yml Pins actions/setup-go reference to a SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/weekly-release.yml
Comment on lines 395 to 400
- name: Checkout central repo (for cleanup tool)
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: gofiber/.github
path: .central

Comment thread .github/workflows/sync-docs.yml
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: gofiber/.github
Comment thread .github/actions/cleanup-release-draft/action.yml
- name: Clean release notes
if: steps.draft.outputs.found == 'true'
uses: gofiber/.github/.github/actions/clean-release-notes@main
uses: gofiber/.github/.github/actions/clean-release-notes@2a2c623de2cfdc4c6b52ecf52907be260a01949b # main
@ReneWerner87 ReneWerner87 merged commit 6ba4456 into main May 10, 2026
5 checks passed
@ReneWerner87 ReneWerner87 deleted the copilot/update-github-actions-to-sha branch May 10, 2026 15:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ReneWerner87 ReneWerner87 ReneWerner87 approved these changes

Assignees

@gaby gaby

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ReneWerner87 @gaby