Skip to content

ci: pin runners and action SHAs#8

Merged
Maik-0000FF merged 1 commit into
mainfrom
ci/pin-actions
Jun 6, 2026
Merged

ci: pin runners and action SHAs#8
Maik-0000FF merged 1 commit into
mainfrom
ci/pin-actions

Conversation

@Maik-0000FF

Copy link
Copy Markdown
Owner

What

Hygiene follow-up to the CodeQL PR (Maik-0000FF/SpaceUX#426): make the CI workflow's runners and third-party actions deterministic, matching the CodeQL workflow and the main SpaceUX repo.

  • Runners: every job pinned to ubuntu-24.04 instead of ubuntu-latest, so a silent runner-image migration can't break the jobs.
  • Actions: pinned to commit SHAs (with version comments) instead of moving tags, so a moved tag can't change what runs:
    • actions/checkout -> v6.0.3
    • actions/setup-node -> v6.4.0
    • actions/upload-artifact -> v7.0.1

Why

A moving tag (@v5) is mutable: the action owner (or an attacker who compromises the repo) can repoint it, changing what executes in CI. SHA pinning closes that supply-chain gap. Same convention the main repo already uses.

Refs Maik-0000FF/SpaceUX#426

Pin every job's runner to ubuntu-24.04 (not -latest) and every third-party
action to a commit SHA with a version comment, matching the CodeQL workflow
and the main SpaceUX repo. A moved tag or a silent runner-image migration
can no longer change what runs.

Refs Maik-0000FF/SpaceUX#426
@Maik-0000FF Maik-0000FF merged commit f33bf9f into main Jun 6, 2026
6 checks passed
@Maik-0000FF Maik-0000FF deleted the ci/pin-actions branch June 6, 2026 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant