security: SHA-pin manual workflows and prune dead lock entries (P0)#1016
Merged
security: SHA-pin manual workflows and prune dead lock entries (P0)#1016
Conversation
P0 remediation from security audit (#92, #1014). Manual workflows (not gh-aw compiled) now SHA-pinned: - ci.yml: checkout@v6, setup-uv@v7 - codeql.yml: checkout@v6, codeql-action/init@v4, codeql-action/analyze@v4 - copilot-setup-steps.yml: checkout@v6, setup-uv@v7 (setup-cli@v0.68.1 line intentionally untouched) - dependency-review.yml: checkout@v6, dependency-review-action@v4.9.0 - pipeline-orchestrator.yml: checkout@v6 actions-lock.json: removed unused entries - actions/github-script@v8 (zero references) - github/gh-aw/actions/setup@v0.58.1 (zero references) All SHAs verified via GitHub API. Triple-reviewed by Codex, Sonnet 4.6, and Opus 4.6 — all clean. Refs #92 #1014 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
21 tasks
There was a problem hiding this comment.
Pull request overview
This PR hardens the repo’s GitHub Actions supply chain by SHA-pinning previously tag-pinned actions in manually maintained workflows, and by pruning unused entries from the agent workflow action lock file.
Changes:
- SHA-pin
actions/checkout,astral-sh/setup-uv, CodeQL, and dependency-review actions in manually maintained workflows. - Remove dead/unused action pins from
.github/aw/actions-lock.json(actions/github-script@v8, legacygithub/gh-aw/actions/setup@v0.58.1).
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/pipeline-orchestrator.yml | Pins actions/checkout to an immutable SHA for the orchestrator workflow. |
| .github/workflows/dependency-review.yml | Pins checkout + dependency-review action to immutable SHAs. |
| .github/workflows/copilot-setup-steps.yml | Pins checkout + setup-uv to immutable SHAs (keeps setup-cli pin unchanged). |
| .github/workflows/codeql.yml | Pins checkout + CodeQL init/analyze to immutable SHAs. |
| .github/workflows/ci.yml | Pins checkout + setup-uv to immutable SHAs. |
| .github/aw/actions-lock.json | Removes unused lock entries to reduce attack surface and drift. |
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses all items in #1014 (rescoped) as part of the P0 response to audit #92.
Changes
SHA-pinned manual workflow actions (#1014 item 4)
Pinned tag refs to immutable commit SHAs in 5 workflows:
ci.yml: checkout@v6, setup-uv@v7codeql.yml: checkout@v6, codeql-action/init@v4, codeql-action/analyze@v4copilot-setup-steps.yml: checkout@v6, setup-uv@v7 (setup-cli line intentionally untouched)dependency-review.yml: checkout@v6, dependency-review-action@v4.9.0pipeline-orchestrator.yml: checkout@v6Pruned dead lock file entries (#1014 items 1 and 3)
Removed unused entries from
actions-lock.json:actions/github-script@v8— zero referencesgithub/gh-aw/actions/setup@v0.58.1— zero referencesNot in this PR
Original item #2 from #1014 (bump gh-aw-actions/setup v0.68.3 → v0.68.7) has been split out to #1021 because it is blocked on an upstream gh-aw CLI release. This PR fully addresses all currently unblocked P0 items.
Verification
gh aw compileclean, no diff vs committed.lock.ymlfilesIssue linkage
Closes #1014
Refs #92 (meta audit — do NOT close)
Refs #1021 (blocked sibling P0 — do NOT close)