Skip to content

Pin GitHub Actions to commit hashes with version tags #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
shenxianpeng merged 5 commits into from
Dec 13, 2025
Merged

Pin GitHub Actions to commit hashes with version tags #7

shenxianpeng merged 5 commits into from
Dec 13, 2025

Conversation

Copy link

Copilot AI commented Dec 13, 2025
edited
Loading

All GitHub Actions in workflow files are now pinned to commit hashes instead of mutable version tags, improving supply chain security by preventing unexpected changes from upstream action updates.

Changes:

  • Pinned 8 distinct actions across 22 uses to their commit SHA-256 hashes
  • Added version tag comments for human readability: action@<commit-hash> # <version>
  • Updated to specific patch versions (v6.0.1, v3.7.0, v3.3.0, v5.0.0, v6.1.0, v6.0.0)

Format:

- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
- uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3.7.0
- uses: pypa/cibuildwheel@63fd63b352a9a8bdcc24791c9dbee952ee9a8abc  # v3.3.0

Actions Updated:

  • actions/checkout, actions/setup-python, actions/upload-artifact, actions/download-artifact
  • docker/setup-qemu-action, pypa/cibuildwheel
  • ilammy/msvc-dev-cmd, softprops/action-gh-release

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI mentioned this pull request Dec 13, 2025
Merged
Copilot AI and others added 2 commits December 13, 2025 18:43
@shenxianpeng
Pin GitHub Actions to commit hashes with version tags
032b913 
Co-authored-by: shenxianpeng <3353385+shenxianpeng@users.noreply.github.com>
@shenxianpeng
Use specific patch versions in action comments for consistency
ffc487a 
Co-authored-by: shenxianpeng <3353385+shenxianpeng@users.noreply.github.com>
Copilot AI changed the title [WIP] Bump actions group with six updates Pin GitHub Actions to commit hashes with version tags Dec 13, 2025
Copilot AI requested a review from shenxianpeng December 13, 2025 18:49
@shenxianpeng shenxianpeng marked this pull request as ready for review December 13, 2025 18:58
@shenxianpeng shenxianpeng requested a review from Copilot December 13, 2025 19:00
Copilot AI reviewed Dec 13, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances supply chain security by pinning all GitHub Actions to immutable commit SHA-256 hashes instead of mutable version tags. Each pinned action includes a human-readable version comment for maintainability.

Key Changes:

  • Pinned 8 distinct GitHub Actions to their commit hashes across 22 uses in the release workflow
  • Added inline version tag comments in the format action@<commit-hash> # <version> for readability
  • Updated actions to specific versions for checkout, upload/download artifacts, Python setup, QEMU setup, cibuildwheel, MSVC setup, and GitHub release creation

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
- name: Create draft release
uses: softprops/action-gh-release@v2
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
Copy link

Copilot AI Dec 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The version comment uses "v2" without a specific patch version, which is inconsistent with other actions in this PR that use specific patch versions (e.g., v6.0.1, v3.7.0). Consider using a more specific version tag like "v2.x.x" for consistency and clarity, or verify that v2 is indeed the most specific tag available for this action.

Copilot uses AI. Check for mistakes.
shenxianpeng and others added 2 commits December 13, 2025 21:32
@shenxianpeng
Update release.yml
f8f9748 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@shenxianpeng
Update release.yml
509dace 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@shenxianpeng shenxianpeng merged commit 48feedb into dependabot/github_actions/actions-fb87565d5d Dec 13, 2025
2 checks passed
@shenxianpeng shenxianpeng deleted the copilot/sub-pr-6 branch December 13, 2025 19:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@shenxianpeng shenxianpeng shenxianpeng approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@shenxianpeng shenxianpeng

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shenxianpeng