Skip to content

fix: pin GitHub Actions to commit SHA hashes for supply chain security #479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zkoppert merged 5 commits into from
Feb 11, 2026
Merged

fix: pin GitHub Actions to commit SHA hashes for supply chain security #479

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
11ddeb9
Initial plan
Claude Feb 11, 2026
b41452a
Pin GitHub Actions to commit SHA hashes for supply chain security
Claude Feb 11, 2026
a239735
Apply black formatting to Python files
Claude Feb 11, 2026
71791c1
Upgrade Super Linter to version 8.5.0
zkoppert Feb 11, 2026
5577639
fix: spelling
zkoppert Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/linters/.markdown-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
---
# line length
MD013: false
# singe h1
# single h1
MD025: false
# duplicate headers
MD024: false
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,12 @@ jobs:
# If you do not check out your code, Copilot will do this for you.
steps:
- name: Checkout code
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Set up Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: 3.12

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/docker-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Build the Docker image
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/python-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,11 @@ jobs:
matrix:
python-version: [3.11, 3.12]
steps:
- uses: actions/checkout@v6.0.2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Install dependencies
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/scorecard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

Expand All @@ -36,7 +36,7 @@ jobs:
results_format: sarif
publish_results: true
- name: "Upload artifact"
uses: actions/upload-artifact@v6.0.0
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The github/codeql-action/upload-sarif action is using a SHA hash without a version tag comment. Following the pattern established in this PR, this should include a comment indicating which version the SHA corresponds to. This makes it easier to track versions and perform updates.

Copilot uses AI. Check for mistakes.
with:
name: SARIF file
path: results.sarif
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/stale.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
issues: write
pull-requests: read
steps:
- uses: actions/stale@v10.1.1
- uses: actions/stale@997185467fa4f803885201cee163a9f38240193d # v10.1.1
with:
stale-issue-message: "This issue is stale because it has been open 21 days with no activity. Remove stale label or comment or this will be closed in 14 days."
close-issue-message: "This issue was closed because it has been stalled for 35 days with no activity."
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/super-linter.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,19 +19,19 @@ jobs:

steps:
- name: Checkout Code
uses: actions/checkout@v6.0.2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Setup Python
uses: actions/setup-python@v6.2.0
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3.12"
- name: Install dependencies
run: |
pip install -r requirements.txt -r requirements-test.txt
- name: Lint Code Base
uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
Copy link

Copilot AI Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The super-linter version was upgraded from v8.3.2 to v8.5.0. According to stored memories, v8.3.2 uses black 24.10.0. This upgrade may include a different version of black, which could cause inconsistencies with the local black 26.1.0 specified in requirements-test.txt. Consider verifying which version of black is included in super-linter v8.5.0 to ensure the formatting changes are stable and won't cause future CI failures.

Copilot uses AI. Check for mistakes.
env:
DEFAULT_BRANCH: main
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
12 changes: 4 additions & 8 deletions evergreen.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,17 +472,15 @@ def get_global_issue_id(ghe, token, organization, repository, issue_number):
api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com"
url = f"{api_endpoint}/graphql"
headers = {"Authorization": f"Bearer {token}"}
data = {
"query": f"""
data = {"query": f"""
query {{
repository(owner: "{organization}", name: "{repository}") {{
issue(number: {issue_number}) {{
id
}}
}}
}}
"""
}
"""}

try:
response = requests.post(url, headers=headers, json=data, timeout=20)
Expand All @@ -506,17 +504,15 @@ def get_global_pr_id(ghe, token, organization, repository, pr_number):
api_endpoint = f"{ghe}/api/v3" if ghe else "https://api.github.com"
url = f"{api_endpoint}/graphql"
headers = {"Authorization": f"Bearer {token}"}
data = {
"query": f"""
data = {"query": f"""
query {{
repository(owner: "{organization}", name: "{repository}") {{
pullRequest(number: {pr_number}) {{
id
}}
}}
}}
"""
}
"""}

try:
response = requests.post(url, headers=headers, json=data, timeout=20)
Expand Down
Loading
Loading