chore: pin external GitHub Actions to commit SHAs#41
chore: pin external GitHub Actions to commit SHAs#41joel-phantom wants to merge 1 commit intomasterfrom
Conversation
Pin all unpinned external GitHub Action `uses:` references to their current full 40-character commit SHAs, with original ref in a comment. This is part of the org-wide supply chain security hardening effort. Refs: SEC-7928, SEC-6683
📝 WalkthroughWalkthroughGitHub Actions workflows across the repository were updated to pin external actions to specific commit SHAs instead of floating version tags. This change was applied consistently across all CI/CD workflow files to enhance security and reproducibility. Changes
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Line 25: Update the GitHub Actions step that references the setup-node action
so it uses the v4 release; locate the line containing "uses:
actions/setup-node@..." in the release workflow and change the reference from v3
to v4 (e.g., actions/setup-node@v4) so the release.yml aligns with other CI
workflows and receives ongoing updates and Node.js 20+ support.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 034dceea-9e73-4d02-b40b-14e6a3af0b20
📒 Files selected for processing (7)
.github/workflows/android-ci.yml.github/workflows/detox.yml.github/workflows/ios-ci.yml.github/workflows/macos-ci.yml.github/workflows/release.yml.github/workflows/stale.yml.github/workflows/windows-ci.yml
|
|
||
| - name: Setup Node.js 20.x | ||
| uses: actions/setup-node@v3 | ||
| uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Is actions/setup-node v3 still actively maintained, and are there any official recommendations to migrate workflows from v3 to v4?
💡 Result:
No, actions/setup-node v3 is not actively maintained. The last release for v3 was v3.0.0 in February 2022. Active development and releases are on v6 (latest v6.3.0 in March 2026), with v4, v5, and v6 receiving updates including dependency bumps and feature enhancements into 2026. Official documentation and examples use v6, and GitHub Docs recommend v4 or later. Yes, there are official recommendations to migrate from v3 to v4 (and newer). The repository README lists breaking changes for v4, v5, v6, implying migration from older versions like v3. Issues and deprecation notices for older versions (e.g., v2 relying on deprecated cache) urge upgrading to v4. GitHub Docs examples use actions/setup-node@v4. Stack Overflow and issues highlight Node 16 deprecation in v3 actions, recommending v4 which uses Node 20+.
Citations:
- 1: https://github.com/actions/setup-node
- 2: actions/setup-node@v3...v4
- 3: https://github.com/actions/setup-node/releases
- 4: https://github.com/actions/setup-node/
- 5: https://github.com/actions/setup-node/releases/tag/v3.0.0
- 6: https://github.com/actions/setup-node/releases/tag/v6.3.0
- 7: https://www.getnodefox.com
- 8: https://docs.github.com/actions/guides/building-and-testing-nodejs
- 9: Errors out on npm cache (no changes, worked fine until now) actions/setup-node#1275
- 10: https://stackoverflow.com/questions/77992218/github-actions-failing-after-upgrading-to-node-v20
🏁 Script executed:
#!/bin/bash
# Find all workflow files and check setup-node versions
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | while read file; do
echo "=== $file ==="
grep -n "setup-node" "$file" || echo "(no setup-node found)"
doneRepository: phantom/react-native-webview
Length of output: 851
Upgrade actions/setup-node from v3 to v4 for consistency and maintenance.
The release workflow uses setup-node@v3, which has been unmaintained since February 2022. All other CI workflows (android-ci, detox, ios-ci, macos-ci, windows-ci) use v4, which receives ongoing updates and supports Node.js 20+. Aligning to v4 removes the maintenance drift and aligns with GitHub's official recommendations for migration.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml at line 25, Update the GitHub Actions step
that references the setup-node action so it uses the v4 release; locate the line
containing "uses: actions/setup-node@..." in the release workflow and change the
reference from v3 to v4 (e.g., actions/setup-node@v4) so the release.yml aligns
with other CI workflows and receives ongoing updates and Node.js 20+ support.
joel-phantom
deleted the
autopilot/sec-7928-patch-remaining-repos-with-unpinned-github-actions-from-sec
branch
1 participant
Summary
uses:references to full 40-character commit SHAsMotivation
Supply chain security hardening: pinning actions to immutable commit SHAs prevents silent changes from compromised or force-pushed tags.
Part of the org-wide audit tracked in SEC-6683 and SEC-7928.
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit
Release Notes