Skip to content

Pin third-party actions to specific releases in GitHub Actions workflows #133

New issue
New issue
Open
Feature
#134
Open
Pin third-party actions to specific releases in GitHub Actions workflows#133
Feature
#134
Assignees
joeparsons
Labels
backportChanges to be back-ported to previous development or release branch(es)ciContinuous integration / automationdependenciesPull requests that update a dependency fileenhancementNew feature or request
@joeparsons

Description

@joeparsons
joeparsons
opened on Nov 4, 2025

Pinning to specific revision hashes is considered a best-practice when using third-party GitHub actions in workflows.

An undocumented feature was added to dependabot several years ago which makes it possible to have both commit hashes and human-readable comments containing a version/tag to be updated by dependabot.

i.e. Dependabot should be able to make updates like this automatically:

-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

We should update all of our references to third-party GitHub actions to use specific commit hashes in this way.

Metadata

Metadata

Assignees

Labels

backportChanges to be back-ported to previous development or release branch(es)ciContinuous integration / automationdependenciesPull requests that update a dependency fileenhancementNew feature or request

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions