Request: Use SHA-pinned action references for security-constrained repositories #20
Description
Problem
Repositories with security rulesets requiring "all actions must be pinned to full-length commit SHA" cannot use Factory-AI/droid-action because it internally references actions using version tags instead of commit SHAs.
Error
When running the droid-action in a repository with SHA-pinning requirements:
The action actions/upload-artifact@v4 is not allowed in <repo>
because all actions must be pinned to a full-length commit SHA.
Root Cause
In action.yml, the action uses:
- uses: actions/upload-artifact@v4GitHub's repository rulesets apply SHA-pinning requirements recursively to all nested action dependencies, including those referenced by composite actions.
Requested Change
Update internal action references to use full-length commit SHAs:
# Before
- uses: actions/upload-artifact@v4
# After
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0Why This Matters
- SLSA Level 2+ compliance requires immutable action references
- Supply chain security prevents tag manipulation attacks
- Enterprise adoption often mandates SHA-pinning for all third-party actions
- GitHub's security hardening guide recommends this practice: Security hardening for GitHub Actions
Affected Versions
| Version | SHA | Status |
|---|---|---|
| v1 tag | 65dab2847e1b4a8a24332cfdef116e4ac3777789 |
Contains non-pinned references |
| Latest | e3f8be9f34bb41b11e852e836cb64e81f13fba59 |
Contains non-pinned references |
Additional Context
This is a blocking issue for security-conscious organizations. We would like to use droid-action for automated PR reviews but cannot until internal dependencies are SHA-pinned.
Thank you for considering this enhancement!