[PR #293] [MERGED] ci: pin third-party GitHub Actions to commit SHAs #3017

New Issue

GiteaMirror · 2026-05-20T14:51:29-05:00

GiteaMirror commented

2026-05-20 14:51:29 -05:00

📋 Pull Request Information

Original PR: https://github.com/RayLabsHQ/gitea-mirror/pull/293
Author: @arunavo4
Created: 5/19/2026
Status: ✅ Merged
Merged: 5/19/2026
Merged by: @arunavo4

Base: main ← Head: ci/pin-actions-to-sha

📝 Commits (1)

d687a9a ci: pin third-party GitHub Actions to commit SHAs

📊 Changes

2 files changed (+11 additions, -11 deletions)

View changed files

📝 .github/workflows/docker-build.yml (+9 -9)
📝 .github/workflows/nix-build.yml (+2 -2)

📄 Description

Summary

Hardens our CI against the tag-mutation supply-chain attack pattern that recently hit actions-cool/issues-helper and actions-cool/maintain-one-comment (and tj-actions/changed-files earlier this year).

Threat model: tag refs (@v3) are mutable. A compromised maintainer can force-move v3 to point at malicious code, and every workflow using @v3 picks it up on the next run. The actions-cool payload read memory from Runner.Worker to steal credentials and exfiltrated them via HTTPS. Pinning to a 40-char commit SHA makes the ref immutable.

This PR covers the highest-risk subset:

nix-build.yml had two branch refs (@main) — worse than tags because they move on every push. Pinned to the latest release SHA (v22 / v13).
docker-build.yml is our most secret-bearing workflow (GHCR push token, Docker Hub login, Docker Scout). All five third-party actions there are now SHA-pinned.

We're not affected by the current actions-cool incident — neither action is in our chain — but the pattern keeps recurring, so the hygiene matters.

What's not in this PR

First-party actions/checkout, actions/upload-artifact, actions/setup-python, actions/setup-node, actions/github-script, github/codeql-action/* — lower risk (well-resourced GitHub-owned orgs), separate follow-up.
oven-sh/setup-bun, azure/setup-helm in helm-test.yml / astro-build-test.yml / e2e-tests.yml — those workflows don't hold publish secrets, also a follow-up.
Dependabot config for github-actions ecosystem — recommended next so SHA pins still get bumped automatically with the version comment trailer.

Test plan

Diff is purely @v3 → @<sha> # v3.x.y — no semantic change to workflow behavior, just the ref
All SHAs verified via gh api repos/<org>/<repo>/git/ref/tags/<tag> against the latest released tag at time of pin
First post-merge CI run on docker-build.yml succeeds (validates the SHA pins resolve correctly on GitHub's runners)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/RayLabsHQ/gitea-mirror/pull/293 **Author:** [@arunavo4](https://github.com/arunavo4) **Created:** 5/19/2026 **Status:** ✅ Merged **Merged:** 5/19/2026 **Merged by:** [@arunavo4](https://github.com/arunavo4) **Base:** `main` ← **Head:** `ci/pin-actions-to-sha` --- ### 📝 Commits (1) - [`d687a9a`](https://github.com/RayLabsHQ/gitea-mirror/commit/d687a9a549e1b384bea88a17a1f51620850bb388) ci: pin third-party GitHub Actions to commit SHAs ### 📊 Changes **2 files changed** (+11 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/docker-build.yml` (+9 -9) 📝 `.github/workflows/nix-build.yml` (+2 -2) </details> ### 📄 Description ## Summary Hardens our CI against the tag-mutation supply-chain attack pattern that recently hit [`actions-cool/issues-helper` and `actions-cool/maintain-one-comment`](https://thehackernews.com/2026/05/github-actions-supply-chain-attack.html) (and `tj-actions/changed-files` earlier this year). **Threat model**: tag refs (`@v3`) are mutable. A compromised maintainer can force-move `v3` to point at malicious code, and every workflow using `@v3` picks it up on the next run. The `actions-cool` payload read memory from `Runner.Worker` to steal credentials and exfiltrated them via HTTPS. Pinning to a 40-char commit SHA makes the ref immutable. This PR covers the highest-risk subset: - `nix-build.yml` had two **branch refs** (`@main`) — worse than tags because they move on every push. Pinned to the latest release SHA (v22 / v13). - `docker-build.yml` is our most secret-bearing workflow (GHCR push token, Docker Hub login, Docker Scout). All five third-party actions there are now SHA-pinned. We're not affected by the current actions-cool incident — neither action is in our chain — but the pattern keeps recurring, so the hygiene matters. ## What's not in this PR - First-party `actions/checkout`, `actions/upload-artifact`, `actions/setup-python`, `actions/setup-node`, `actions/github-script`, `github/codeql-action/*` — lower risk (well-resourced GitHub-owned orgs), separate follow-up. - `oven-sh/setup-bun`, `azure/setup-helm` in `helm-test.yml` / `astro-build-test.yml` / `e2e-tests.yml` — those workflows don't hold publish secrets, also a follow-up. - Dependabot config for `github-actions` ecosystem — recommended next so SHA pins still get bumped automatically with the version comment trailer. ## Test plan - [x] Diff is purely `@v3` → `@<sha> # v3.x.y` — no semantic change to workflow behavior, just the ref - [x] All SHAs verified via `gh api repos/<org>/<repo>/git/ref/tags/<tag>` against the latest released tag at time of pin - [ ] First post-merge CI run on `docker-build.yml` succeeds (validates the SHA pins resolve correctly on GitHub's runners) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-05-20 14:51:29 -05:00

GiteaMirror closed this issue

2026-05-20 14:51:29 -05:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea-mirror#3017