Skip to content

chore(ci): pin GitHub Actions to commit SHAs for supply chain security#669

Draft
bhabalan wants to merge 1 commit intowebex:nextfrom
bhabalan:chore/pin-github-actions-to-shas
Draft

chore(ci): pin GitHub Actions to commit SHAs for supply chain security#669
bhabalan wants to merge 1 commit intowebex:nextfrom
bhabalan:chore/pin-github-actions-to-shas

Conversation

@bhabalan
Copy link
Copy Markdown
Contributor

@bhabalan bhabalan commented Apr 8, 2026

COMPLETES N/A — proactive security hardening

This pull request addresses

The recent Trivy supply chain attack (March 2026, TeamPCP/DeadCatx3) demonstrated that mutable GitHub Action version tags can be force-pushed to point at malicious code. Any CI/CD pipeline referencing actions by tag (e.g., actions/checkout@v4) would silently execute the attacker's payload. While this repo was not directly affected (no Trivy usage), all three workflow files used mutable version tags for GitHub Actions, leaving them vulnerable to the same class of attack.

by making the following changes

Pin all GitHub Action uses: references to immutable commit SHAs across all three workflow files, with the version tag preserved as an inline comment for readability:

  • pull-request.yml — pinned actions/checkout@v3, actions/setup-node@v4, actions/cache@v4, actions/upload-artifact@v4
  • deploy.yml — pinned actions/checkout@v4, actions/setup-node@v4, actions/cache@v4, actions/cache/restore@v4, actions/cache/save@v4
  • update-dependencies.yml — pinned actions/checkout@v2

Change Type

  • Tooling change

The following scenarios were tested

  • Verified all SHA references resolve to the correct tagged commits via GitHub API
  • Confirmed no unauthorized commits or tag changes occurred in the March 20-22 breach window (git log, reflog, and tag audit)
  • All existing unit tests pass (pre-commit hook)

The GAI Coding Policy And Copyright Annotation Best Practices

  • GAI was used to create a draft that was subsequently customized or modified
  • Tool used for AI assistance (GitHub Copilot / Other - specify)
    • Other - Claude Code
  • This PR is related to
    • Tech Debt

Checklist before merging

  • I have not skipped any automated checks
  • All existing and new tests passed
  • I have updated the testing document
  • I have tested the functionality with amplify link

@bhabalan
chore(ci): pin GitHub Actions to commit SHAs for supply chain security
91d07ca 
Pin all GitHub Action references to immutable commit SHAs instead of
mutable version tags. This prevents a class of supply chain attacks
where an attacker force-pushes a tag to point at malicious code
(as seen in the recent Trivy/TeamPCP incident, March 2026).
@aws-amplify-us-east-2
Copy link
Copy Markdown

aws-amplify-us-east-2 bot commented Apr 8, 2026

This pull request is automatically being deployed by Amplify Hosting (learn more).

Access this pull request here: https://pr-669.d1b38q61t1z947.amplifyapp.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bhabalan