Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to harden CI supply-chain security by replacing mutable GitHub Actions version tags with immutable commit SHAs in existing workflows.
Changes:
- Pin
astral-sh/setup-uvto a specific commit SHA in the test workflow. - Pin
DavidAnson/markdownlint-cli2-actionto a specific commit SHA in the lint workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/test.yml | Pins astral-sh/setup-uv to a commit SHA in both jobs. |
| .github/workflows/lint.yml | Pins markdownlint-cli2-action to a commit SHA. |
Comments suppressed due to low confidence (1)
.github/workflows/test.yml:42
- Same as above for the matrix job:
actions/checkoutandactions/setup-pythonare still referenced via mutable tags even though the PR description claims SHA pinning. Consider pinning them to commit SHAs, or update the PR description/scope accordingly.
- name: Checkout
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - name: Run markdownlint-cli2 | ||
| uses: DavidAnson/markdownlint-cli2-action@v23 | ||
| uses: DavidAnson/markdownlint-cli2-action@ce4853d43830c74c1753b39f3cf40f71c2031eb9 # v23 |
There was a problem hiding this comment.
PR description says workflows are pinned to immutable SHAs, but this workflow still uses a mutable tag for actions/checkout. Either pin actions/checkout to a commit SHA as well, or adjust the PR description/scope so it’s not misleading (especially since this is a security-hardening change).
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Install uv | ||
| uses: astral-sh/setup-uv@v7 | ||
| uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@v6 |
There was a problem hiding this comment.
PR description says actions are pinned to immutable SHAs, but this job still uses mutable tags for actions/checkout and actions/setup-python. Either pin these to commit SHAs as well, or update the PR description to clarify that only selected third-party actions are pinned.
This issue also appears on line 35 of the same file.
Re-submission of #1985. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.
How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as commentI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)