Update GitHub Actions to use specific versions

[GoldMinerN]

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflow to use newer versions of checkout and Python setup actions.

[coderabbitai]

📝 Walkthrough

Walkthrough

The GitHub Actions build workflow is updated to pin action versions to specific patch releases. actions/checkout is pinned to v4.2.2 and actions/setup-python to v5.3.0, replacing major-version references for improved reproducibility.

Changes

Workflow Dependency Updates

Layer / File(s)	Summary
Action Versions .github/workflows/build.yml	actions/checkout@v4 pinned to @v4.2.2 and actions/setup-python@v5 pinned to @v5.3.0 for deterministic builds.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A rabbit hops through workflows lean,
Pinning versions, crisp and clean,
No more drifting with the tide,
Reproducible builds with pride! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating GitHub Actions workflow to use specific pinned versions (checkout@v4.2.2 and setup-python@v5.3.0) instead of major version tags.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build.yml:
- Around line 45-48: Replace the current action pins using tags
(actions/checkout@v4.2.2 and actions/setup-python@v5.3.0) with immutable commit
SHA pins: look up the exact commit SHA for each action in their upstream GitHub
repos (actions/checkout and actions/setup-python) that correspond to the desired
release, and update the workflow uses: entries to actions/checkout@<commit-sha>
and actions/setup-python@<commit-sha> so the workflow is pinned to the specific
commit rather than a mutable tag.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 02a75bc7-a4ba-4040-978f-c7b160f8b55b

📥 Commits

Reviewing files that changed from the base of the PR and between 1a2cb48 and 6f9396a.

📒 Files selected for processing (1)

• .github/workflows/build.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Resolve immutable commit SHAs for the currently selected tags.
set -euo pipefail

resolve_tag_commit() {
  local owner_repo="$1" tag="$2"
  local ref_json type sha
  ref_json="$(curl -fsSL "https://api.github.com/repos/${owner_repo}/git/ref/tags/${tag}")"
  type="$(printf '%s' "$ref_json" | jq -r '.object.type')"
  sha="$(printf '%s' "$ref_json" | jq -r '.object.sha')"

  if [[ "$type" == "tag" ]]; then
    # annotated tag -> dereference to commit
    curl -fsSL "https://api.github.com/repos/${owner_repo}/git/tags/${sha}" | jq -r '.object.sha'
  else
    # lightweight tag -> already commit
    printf '%s\n' "$sha"
  fi
}

echo "actions/checkout@v4.2.2 => $(resolve_tag_commit actions/checkout v4.2.2)"
echo "actions/setup-python@v5.3.0 => $(resolve_tag_commit actions/setup-python v5.3.0)"

Repository: junjiem/dify-plugin-repackaging

Length of output: 215

---

🏁 Script executed:

cat -n .github/workflows/build.yml | sed -n '40,55p'

Repository: junjiem/dify-plugin-repackaging

Length of output: 672

---

🌐 Web query:

GitHub Actions pinning versions commit SHA vs tag best practices security

💡 Result:

Best practice: Pin GitHub Actions third-party (and any high-risk) dependencies to full, immutable commit SHAs (not tags), and (optionally) enforce this with GitHub Actions policies. 1) Why commit SHA pinning is preferred over tags - GitHub explicitly states: “Pin actions to a full-length commit SHA” is currently “the only way to use an action as an immutable release,” and that it helps mitigate the risk of a bad actor adding a backdoor to the action’s repository (they’d need to generate a SHA-1 collision for a valid Git object payload). [1] - GitHub also notes that tag pinning is less secure because a tag can be moved or deleted if a bad actor gains access to the action’s repository; commit SHAs are immutable references to a specific repository state. [1] 2) What GitHub recommends you do in practice - Use full-length commit SHAs in the workflow uses: value (for example: owner/repo@<40+ hex chars>). [1] - When selecting the SHA, verify it is from the action’s repository and not a repository fork. [1] - If you still use a tag, GitHub recommends only doing so when you trust the creator, while noting the risk that tags can be moved or deleted. [1] 3) Security governance: enforce SHA pinning at the org/repo level - GitHub’s changelog says administrators can enforce SHA pinning through the allowed actions policy; the policy checks for a full commit SHA and workflows that attempt to use an action that isn’t pinned will fail. [2] 4) Commit SHA vs tag: quick rule - For supply-chain resistance/immutability: prefer full commit SHA pinning. [1] - For convenience: tags are widely used, but they’re mutable and therefore less secure. [1] 5) How teams maintain/update pinned SHAs - A common maintainability pattern is pinning to a SHA while retaining the original version/tag as an inline comment (e.g., actions/checkout@<sha> # v4.1.1) so updates are understandable. [3] If you share a few of your current uses: lines, I can show how to convert each from a tag to the corresponding full commit SHA pin and keep the version comments.

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
• 3: How to pin GitHub Actions to SHA instead of tag using Renovate? renovatebot/renovate#42031

---

Pin third-party actions by commit SHA, not tag, for immutable builds.

v4.2.2/v5.3.0 is better than major tags, but GitHub's security documentation confirms that tags can be moved or deleted if a bad actor gains access. For supply-chain integrity and reproducibility, pin uses: to full commit SHAs instead.

Suggested change

       - name: Checkout repository
-        uses: actions/checkout@v4.2.2  
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

       - name: Set up Python 3.12
-        uses: actions/setup-python@v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 45 - 48, Replace the current action
pins using tags (actions/checkout@v4.2.2 and actions/setup-python@v5.3.0) with
immutable commit SHA pins: look up the exact commit SHA for each action in their
upstream GitHub repos (actions/checkout and actions/setup-python) that
correspond to the desired release, and update the workflow uses: entries to
actions/checkout@<commit-sha> and actions/setup-python@<commit-sha> so the
workflow is pinned to the specific commit rather than a mutable tag.