Skip to content

ci: pin GitHub Actions to SHA-256 commits#962

Merged
n8mgr merged 1 commit into
masterfrom
pin-actions
May 15, 2026
Merged

ci: pin GitHub Actions to SHA-256 commits#962
n8mgr merged 1 commit into
masterfrom
pin-actions

Conversation

@n8mgr
Copy link
Copy Markdown
Member

@n8mgr n8mgr commented May 15, 2026

Summary

  • Pin every uses: reference in workflows to a specific commit SHA
  • Each pin is annotated with the corresponding version tag in a trailing comment
  • Versions stay within the existing major (e.g. @v4 → latest v4.x.y SHA) to avoid breaking changes

Why

Mitigates supply-chain attacks where a tag could be retargeted to malicious code. Pinning to a SHA is the recommended hardening practice.

Notes for reviewers

  • Annotated tags resolve to the underlying commit SHA (not the tag object)
  • For SiaFoundation/workflows@master and dtolnay/rust-toolchain@stable|nightly (which use a branch ref intentionally), the pin uses the current branch tip SHA — future updates will require a follow-up PR
  • This PR was generated by tooling; please skim each workflow diff

@n8mgr
ci: pin GitHub Actions to SHA-256 commits
767d5c6 
Pin all action references to specific commit SHAs to prevent supply-chain
attacks. Each pin is annotated with a human-readable version tag for clarity.
Versions stay within the existing major version to avoid breaking changes.
Copilot AI review requested due to automatic review settings May 15, 2026 16:25
@n8mgr n8mgr self-assigned this May 15, 2026
@n8mgr n8mgr requested review from ChrisSchinnerl and peterjan May 15, 2026 16:25
claude[bot]
claude Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

Tip: disable this comment in your organization's Code Review settings.

@github-project-automation github-project-automation Bot moved this to In Progress in Sia May 15, 2026
github-advanced-security[bot]
github-advanced-security AI found potential problems May 15, 2026
View reviewed changes
Comment thread .github/workflows/main.yml
jobs:
test:
uses: SiaFoundation/workflows/.github/workflows/go-test.yml@master
uses: SiaFoundation/workflows/.github/workflows/go-test.yml@22e56c0750c0febb09784caa01c60021e0b5f111 # master
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens GitHub Actions workflows by replacing mutable uses: refs with specific commit refs while preserving the previously referenced branches/tags in comments.

Changes:

  • Pins reusable SiaFoundation workflows/actions from master to a commit SHA.
  • Pins actions/checkout and knope-dev/action in the release-preparation workflow.
  • Adds trailing comments documenting the original branch/tag refs.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/ui.yml Pins the UI update action ref.
.github/workflows/publish.yml Pins the reusable publish workflow ref.
.github/workflows/project-add.yml Pins the project-add reusable workflow ref.
.github/workflows/prepare-release.yml Pins checkout and Knope action refs.
.github/workflows/openapi-sync.yml Pins the OpenAPI sync reusable workflow ref.
.github/workflows/main.yml Pins the main test reusable workflow ref.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/main.yml
jobs:
test:
uses: SiaFoundation/workflows/.github/workflows/go-test.yml@master
uses: SiaFoundation/workflows/.github/workflows/go-test.yml@22e56c0750c0febb09784caa01c60021e0b5f111 # master
Comment thread .github/workflows/prepare-release.yml
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@n8mgr n8mgr merged commit 57e829c into master May 15, 2026
19 of 21 checks passed
@n8mgr n8mgr deleted the pin-actions branch May 15, 2026 17:14
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Sia May 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@claude claude[bot] claude[bot] left review comments

@ChrisSchinnerl ChrisSchinnerl Awaiting requested review from ChrisSchinnerl

@peterjan peterjan Awaiting requested review from peterjan

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@n8mgr n8mgr

Labels

None yet

Projects

Sia
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@n8mgr @github-advanced-security @ChrisSchinnerl