Skip to content

chore: pin third-party GitHub Actions to commit SHAs#45

Open
pkaeding wants to merge 1 commit intomainfrom
security/SEC-7924/pin-github-actions
Open

chore: pin third-party GitHub Actions to commit SHAs#45
pkaeding wants to merge 1 commit intomainfrom
security/SEC-7924/pin-github-actions

Conversation

@pkaeding
Copy link
Copy Markdown

@pkaeding pkaeding commented Mar 25, 2026
edited by cursor bot
Loading

Summary

Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks.

Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule.

Test plan

  • Verify CI passes with pinned action SHAs

Note

Low Risk
Low risk workflow-only change that pins action versions to specific SHAs; main risk is CI/release breakage if the pinned commits diverge from expected v4/release/v1 behavior.

Overview
Hardens the release workflows against GitHub Action supply-chain changes by pinning previously tag-referenced third-party actions to immutable commit SHAs.

release-please.yml now pins googleapis/release-please-action to a specific commit, and both release-please.yml and manual-publish.yml pin pypa/gh-action-pypi-publish (with comments indicating the original tags).

Written by Cursor Bugbot for commit a87695d. This will update automatically on new commits. Configure here.

@pkaeding
[SEC-7924] chore: pin third-party GitHub Actions to commit SHAs
a87695d 
Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
@pkaeding pkaeding requested a review from a team as a code owner March 25, 2026 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pkaeding