From 91d07cae51fefc19ea07de265f6c7ce1217b6b6c Mon Sep 17 00:00:00 2001 From: Bharath Balan <62698609+bhabalan@users.noreply.github.com> Date: Thu, 9 Apr 2026 01:48:15 +0530 Subject: [PATCH] chore(ci): pin GitHub Actions to commit SHAs for supply chain security Pin all GitHub Action references to immutable commit SHAs instead of mutable version tags. This prevents a class of supply chain attacks where an attacker force-pushes a tag to point at malicious code (as seen in the recent Trivy/TeamPCP incident, March 2026). --- .github/workflows/deploy.yml | 30 +++++++------- .github/workflows/pull-request.yml | 48 +++++++++++------------ .github/workflows/update-dependencies.yml | 6 +-- 3 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b25871a71..8ae229da3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -27,19 +27,19 @@ jobs: steps: - name: Checkout Project - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 # Fetch all history for package comparison - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: ".nvmrc" registry-url: "https://registry.npmjs.org" cache: "yarn" - name: Install Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: cache-dependencies with: path: "**/node_modules" @@ -83,17 +83,17 @@ jobs: steps: - name: Checkout Project - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: ".nvmrc" registry-url: "https://registry.npmjs.org" cache: "yarn" - name: Restore Dependencies Cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: "**/node_modules" key: node-modules-${{ hashFiles('./yarn.lock') }} @@ -136,7 +136,7 @@ jobs: - name: Cache Built Distributables if: steps.check-changes.outputs.has_changes == 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: "**/dist" key: dist-${{ env.rid }} @@ -157,25 +157,25 @@ jobs: run: echo "Documentation Deploy Steps" - name: Checkout Project - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Restore Dependencies Cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} - name: Restore Distributables Cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/dist' key: dist-${{ env.rid }} @@ -222,25 +222,25 @@ jobs: steps: - name: Checkout Project - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: ".nvmrc" registry-url: "https://registry.npmjs.org" cache: "yarn" - name: Restore Dependencies Cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: "**/node_modules" key: node-modules-${{ hashFiles('./yarn.lock') }} - name: Restore Distributables Cache - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: "**/dist" key: dist-${{ env.rid }} diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index f81801455..209710474 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -65,12 +65,12 @@ jobs: needs: validate steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' @@ -78,7 +78,7 @@ jobs: - id: validate-dependencies name: Validate Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} @@ -91,7 +91,7 @@ jobs: run: yarn - name: Cache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 if: steps.validate-dependencies.outputs.cache-hit != 'true' with: path: '**/node_modules' @@ -102,19 +102,19 @@ jobs: needs: install steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Uncache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} @@ -126,7 +126,7 @@ jobs: run: yarn run build - name: Cache Distributables - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/dist' key: dist-${{ env.rid }} @@ -136,19 +136,19 @@ jobs: needs: install steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Uncache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} @@ -167,25 +167,25 @@ jobs: steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Uncache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} - name: Uncache Distributables - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/dist' key: dist-${{ env.rid }} @@ -201,19 +201,19 @@ jobs: steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Uncache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} @@ -222,7 +222,7 @@ jobs: run: npx playwright install --with-deps - name: Uncache Distributables - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/dist' key: dist-${{ env.rid }} @@ -236,7 +236,7 @@ jobs: - name: Run Playwright tests run: yarn run test:e2e - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: ${{ !cancelled() }} with: name: playwright-report @@ -250,25 +250,25 @@ jobs: needs: [install, build] steps: - name: Checkout Project - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: ref: ${{ github.event.pull_request.head.sha }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: '.nvmrc' registry-url: 'https://registry.npmjs.org' cache: 'yarn' - name: Uncache Dependencies - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/node_modules' key: node-modules-${{ hashFiles('./yarn.lock') }} - name: Uncache Distributables - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: '**/dist' key: dist-${{ env.rid }} diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index fab797a44..a0de95986 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -8,7 +8,7 @@ jobs: if: github.event.action == 'component-adapter-interfaces:version-changed' steps: - name: checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - run: | npm install @webex/component-adapter-interfaces if [ -n "$(git status --porcelain)" ]; then @@ -24,7 +24,7 @@ jobs: if: github.event.action == 'components:version-changed' steps: - name: checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - run: | npm install @webex/components if [ -n "$(git status --porcelain)" ]; then @@ -40,7 +40,7 @@ jobs: if: github.event.action == 'sdk-component-adapter:version-changed' steps: - name: checkout - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 - run: | npm install @webex/sdk-component-adapter if [ -n "$(git status --porcelain)" ]; then