KEMBAR78
fix: pin GitHub Actions to commit hashes by harekrishnarai · Pull Request #1474 · slsa-framework/slsa · GitHub
Skip to content

fix: pin GitHub Actions to commit hashes #1474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 26, 2025
Merged

fix: pin GitHub Actions to commit hashes #1474

merged 2 commits into from
Aug 26, 2025

Conversation

@harekrishnarai
Copy link
Contributor

Pin GitHub Actions to commit hashes

This pull request pins all GitHub Actions in workflow files to specific commit hashes to improve security and ensure reproducible builds.

Changes Made

  • Converted version tags (e.g., v3, v4) to commit hashes
  • Added comments showing the original version and date for reference
  • Preserved all existing functionality while improving security

Benefits

  • Security: Prevents supply chain attacks by ensuring immutable action references
  • Reproducibility: Guarantees the same action version is used across all runs
  • Auditability: Clear tracking of which specific version of each action is being used

Review Notes

  • All pinned actions maintain their original functionality
  • Comments preserve the original version information with dates for easy reference
  • No workflow behavior changes are expected

This change follows GitHub's security best practices for action pinning.

@harekrishnarai
security: pin GitHub Actions to commit hashes
0d2c150 
Pin GitHub Actions to commit hashes for improved security and reproducible builds
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Aug 13, 2025
@netlify
Copy link

netlify bot commented Aug 13, 2025
edited
Loading

Deploy Preview for slsa canceled.

Name Link
🔨 Latest commit ca296ea
🔍 Latest deploy log https://app.netlify.com/projects/slsa/deploys/68ac0662c0e64b0008d1b81c

@harekrishnarai harekrishnarai changed the title security: pin GitHub Actions to commit hashes fix : pin GitHub Actions to commit hashes Aug 13, 2025
@harekrishnarai harekrishnarai changed the title fix : pin GitHub Actions to commit hashes fix: pin GitHub Actions to commit hashes Aug 13, 2025
zachariahcox
zachariahcox reviewed Aug 18, 2025
View reviewed changes
@arewm arewm merged commit 226d92c into slsa-framework:main Aug 26, 2025
5 checks passed
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Issue triage Aug 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zachariahcox zachariahcox zachariahcox left review comments

@arewm arewm arewm approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Issue triage
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@harekrishnarai @arewm @zachariahcox