Skip to content

Pinning GitHub actions #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elgordomac merged 1 commit into from
Dec 5, 2025
Merged

Pinning GitHub actions #24

elgordomac merged 1 commit into from
Dec 5, 2025

Conversation

@elgordomac
Copy link
Contributor

@elgordomac elgordomac commented Dec 3, 2025
edited by cubic-dev-ai bot
Loading

Summary by cubic

Pinned GitHub Actions to specific commit SHAs in build and release workflows to meet ENG-11298 and improve security and reproducibility.

  • Dependencies
    • actions/checkout pinned to v3.6.0 (build) and v2.7.0 (release).
    • actions/setup-node pinned to v3.9.1 (build) and v1.4.6 (release).

Written for commit df1ec31. Summary will update automatically on new commits.

Copilot AI review requested due to automatic review settings December 3, 2025 14:57
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances security by pinning GitHub Actions to specific commit hashes rather than mutable version tags. This prevents potential supply chain attacks where action versions could be modified maliciously.

Key changes:

  • Pinned actions/checkout and actions/setup-node to specific commit SHAs
  • Added version comments for traceability

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/release.yml Pinned checkout action to v2.7.0 and setup-node to v1.4.6 with commit hashes
.github/workflows/build.yml Pinned checkout action to v3.6.0 and setup-node to v3.9.1 with commit hashes

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/release.yml
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
Copy link

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actions/checkout@v2 action is outdated. This workflow uses v2.7.0 while the build workflow uses v3.6.0. Consider upgrading to v4 (the latest major version) for consistency and to benefit from security updates and improvements. The current v2 version is no longer actively maintained.

Suggested change
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
uses: actions/checkout@v4

Copilot uses AI. Check for mistakes.
.github/workflows/release.yml
uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0
- name: Setup Node.js
uses: actions/setup-node@v1
uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
Copy link

Copilot AI Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actions/setup-node@v1 action is outdated. This workflow uses v1.4.6 while the build workflow uses v3.9.1. Consider upgrading to v4 (the latest major version) or at least v3 for consistency with the build workflow and to benefit from security updates and improvements. The v1 version is no longer actively maintained.

Suggested change
uses: actions/setup-node@f1f314fca9dfce2769ece7d933488f076716723e # v1.4.6
uses: actions/setup-node@v4

Copilot uses AI. Check for mistakes.
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Dec 3, 2025
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

ryoppippi
ryoppippi approved these changes Dec 3, 2025
View reviewed changes
Copy link
Member

@ryoppippi ryoppippi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@elgordomac elgordomac merged commit 8626a6f into main Dec 5, 2025
8 checks passed
@elgordomac elgordomac deleted the eng-11298/pinning-github-actions branch December 5, 2025 10:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@ryoppippi ryoppippi ryoppippi approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elgordomac @ryoppippi