Skip to content

fix: pin GitHub Actions to SHA for supply chain security#183

Open
apham0001 wants to merge 1 commit intomainfrom
fix/pin-github-actions-sha
Open

fix: pin GitHub Actions to SHA for supply chain security#183
apham0001 wants to merge 1 commit intomainfrom
fix/pin-github-actions-sha

Conversation

@apham0001
Copy link
Copy Markdown
Contributor

@apham0001 apham0001 commented Mar 24, 2026
edited
Loading

Summary

  • Pin all GitHub Actions uses: references to commit SHAs for supply chain security
  • Original version tags preserved as inline comments for maintainability
  • Mitigates supply chain attacks where a compromised tag could inject malicious code (ref: Trivy incident March 2026)

Changes

  • All uses: owner/action@taguses: owner/action@SHA # tag
  • No version changes, only pinning format

Test plan

  • Verify CI workflows run successfully
  • Confirm no action versions changed, only pinning format

@apham0001 apham0001 requested a review from a team as a code owner March 24, 2026 15:14
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 24, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 24, 2026
edited
Loading

📝 Walkthrough

Walkthrough

GitHub Actions workflows in the repository have been updated to pin third-party actions to specific commit SHAs instead of using floating version tags. Six actions across four workflow files are now locked to exact commit references while maintaining the same v2, v3, or main labels for clarity.

Changes

Cohort / File(s) Summary
GitHub Actions Version Pinning
.github/workflows/build-deploy-obol-sdk.yml, .github/workflows/ci.yml, .github/workflows/label-issues.yml, .github/workflows/release-pr.yml		 Pinned actions like actions/checkout, actions/setup-node, martinbeentjes/npm-get-version-action, ffurrer2/extract-release-notes, rickstaa/action-create-tag, ncipollo/release-action, actions/github-script, and peter-evans/create-pull-request to specific commit SHAs instead of floating version tags for improved reproducibility and security.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Through workflows we hop with versions so tight,
Each action now pinned to commits burning bright,
No floating about on the tag-laden breeze,
Our builds are secure and flow with such ease!

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: pinning GitHub Actions to commit SHAs for supply chain security, which aligns with all file modifications in the changeset.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/pin-github-actions-sha

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aly-obol aly-obol aly-obol approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apham0001 @aly-obol