Skip to content

ci: pin GitHub Actions to commit SHAs#4

Merged
psd-coder merged 1 commit into
mainfrom
pin-gh-actions
May 19, 2026
Merged

ci: pin GitHub Actions to commit SHAs#4
psd-coder merged 1 commit into
mainfrom
pin-gh-actions

Conversation

@psd-coder

Copy link
Copy Markdown
Owner

Overview

Pins all third-party GitHub Actions references to full commit SHAs with version comments.

Problem Statement

Floating tags like @v6 are mutable: a compromised or retagged release can silently execute arbitrary code in CI with access to repo secrets and the GITHUB_TOKEN. This matches GitHub's hardening guidance and recent supply-chain incidents (e.g. tj-actions).

Solution Approach

  • Pin actions/checkout@v6 to de0fac2e... (v6.0.2) across deploy-docs, lint, publish, typecheck
  • Pin actions/setup-node@v6 to 48b55a01... (v6.4.0) in prepare-runner composite and publish
  • Pin actions/upload-pages-artifact@v3 to fc324d35... (v5.0.0) and actions/deploy-pages@v4 to cd2ce8fc... (v5.0.0)
  • Retain human-readable # vX.Y.Z trailing comments so Dependabot can keep them current

Breaking Changes

None.

@psd-coder psd-coder self-assigned this May 19, 2026
@psd-coder psd-coder merged commit e71597e into main May 19, 2026
4 checks passed
@psd-coder psd-coder deleted the pin-gh-actions branch May 19, 2026 15:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant