[PR #729] [MERGED] chore: pin GitHub Actions to commit SHA #15345

Closed
opened 2026-06-19 23:32:54 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/docker/awesome-compose/pull/729
Author: @quentin-laplanche-docker
Created: 4/20/2026
Status: Merged
Merged: 6/4/2026
Merged by: @vallieres

Base: masterHead: sec-cli/pin-actions


📝 Commits (1)

  • 26ab423 chore: pin GitHub Actions to commit SHA

📊 Changes

1 file changed (+4 additions, -4 deletions)

View changed files

📝 .github/workflows/codeql-analysis.yml (+4 -4)

📄 Description

What

This Pull Request pins all GitHub Actions references in workflow files from mutable tags (e.g. v4, latest) to their corresponding full-length commit SHAs, with the original tag preserved as an inline comment for readability.

Before:

uses: actions/checkout@v4

After:

uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

Important

No functional behavior changes — workflows will run the exact same action code as before.

Why

Mutable tags (like v4 or latest) can be force-pushed to point to a different commit at any time. Pinning to a full SHA ensures:

  • Supply chain integrity — the exact code that runs in CI is immutable and auditable
  • Protection against tag hijacking — a compromised upstream action can't silently inject malicious code via a tag update
  • Reproducible builds — workflows always use the same action code regardless of upstream changes

Note

Where mutable references were used (e.g. v4, latest), the SHA corresponds to the commit the reference pointed to on April 16th, 2026 at 11:30 AM UTC.

How this was done

Changes were generated automatically by the Docker security team using internal tooling that resolves each action tag to its corresponding commit SHA via the GitHub API and rewrites the workflow files.

Every third-party action used across the org has been individually security-reviewed before pinning.

How to review

  • Each uses: line now references a full 40-character SHA
  • Pinned SHAs match the versions previously used
  • Inline # vX comments match the original tags that were pinned

Please feel free to edit this pull request !

Warning

If anything looks incorrect or unexpected, or if you have questions, reach out to #help-security on Slack before merging.


Note

If you need to update a pinned action in the future, update both the SHA and the inline comment.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/docker/awesome-compose/pull/729 **Author:** [@quentin-laplanche-docker](https://github.com/quentin-laplanche-docker) **Created:** 4/20/2026 **Status:** ✅ Merged **Merged:** 6/4/2026 **Merged by:** [@vallieres](https://github.com/vallieres) **Base:** `master` ← **Head:** `sec-cli/pin-actions` --- ### 📝 Commits (1) - [`26ab423`](https://github.com/docker/awesome-compose/commit/26ab423f147a31a6872b0cbfb841abf9de61781c) chore: pin GitHub Actions to commit SHA ### 📊 Changes **1 file changed** (+4 additions, -4 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/codeql-analysis.yml` (+4 -4) </details> ### 📄 Description ## What This Pull Request pins all GitHub Actions references in workflow files from mutable tags (e.g. `v4`, `latest`) to their corresponding **full-length commit SHAs**, with the original tag preserved as an inline comment for readability. **Before:** ```yaml uses: actions/checkout@v4 ``` **After:** ```yaml uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 ``` > [!IMPORTANT] > No functional behavior changes — workflows will run the exact same action code as before. ## Why Mutable tags (like `v4` or `latest`) can be force-pushed to point to a different commit at any time. Pinning to a full SHA ensures: - **Supply chain integrity** — the exact code that runs in CI is immutable and auditable - **Protection against tag hijacking** — a compromised upstream action can't silently inject malicious code via a tag update - **Reproducible builds** — workflows always use the same action code regardless of upstream changes > [!NOTE] > Where mutable references were used (e.g. `v4`, `latest`), the SHA corresponds to the commit the reference pointed to on **April 16th, 2026 at 11:30 AM UTC**. <details> <summary><h2>How this was done</h2></summary> Changes were generated automatically by the Docker security team using internal tooling that resolves each action tag to its corresponding commit SHA via the GitHub API and rewrites the workflow files. Every third-party action used across the org has been individually security-reviewed before pinning. </details> ## How to review - [ ] Each `uses:` line now references a full 40-character SHA - [ ] Pinned SHAs match the versions previously used - [ ] Inline `# vX` comments match the original tags that were pinned __Please feel free to edit this pull request !__ > [!WARNING] > If anything looks incorrect or unexpected, or if you have questions, reach out to **#help-security** on Slack **before merging**. --- > [!NOTE] > If you need to update a pinned action in the future, update both the SHA **and** the inline comment. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-19 23:32:54 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/awesome-compose#15345