Skip to content

ci: pin GitHub Actions to commit SHAs#247

Open
nicklasl wants to merge 1 commit into
mainfrom
nicklasl/chore/pin-actions-to-sha
Open

ci: pin GitHub Actions to commit SHAs#247
nicklasl wants to merge 1 commit into
mainfrom
nicklasl/chore/pin-actions-to-sha

Conversation

@nicklasl
Copy link
Copy Markdown
Member

@nicklasl nicklasl commented May 20, 2026

Summary

  • Pin all GitHub Actions to immutable commit SHAs to mitigate supply chain attacks (e.g. TanStack "Mini Shai-Hulud")
  • Switch PR build Gradle cache to read-only actions/cache/restore to prevent fork cache poisoning

Test plan

  • CI passes with SHA-pinned actions
  • PR builds still restore Gradle cache but no longer write to it

🤖 Generated with Claude Code

@nicklasl @claude
fix(ci): pin GitHub Actions to commit SHAs and fix cache poisoning
e9aba4c 
Mitigate supply chain attacks by pinning all third-party actions to
immutable commit SHAs. Switch PR build cache to read-only restore
to prevent fork PRs from poisoning the shared Gradle cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@nicklasl nicklasl marked this pull request as ready for review May 20, 2026 11:17
@nicklasl nicklasl changed the title fix(ci): pin GitHub Actions to commit SHAs ci: pin GitHub Actions to commit SHAs May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabriziodemaria fabriziodemaria Awaiting requested review from fabriziodemaria fabriziodemaria is a code owner

@vahidlazio vahidlazio Awaiting requested review from vahidlazio vahidlazio is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicklasl