fix: harden GitHub Actions workflows#2021
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to harden CI supply-chain security by replacing mutable GitHub Actions version tags with immutable commit SHAs in existing workflows.
Changes:
- Pin
astral-sh/setup-uvto a specific commit SHA in the test workflow. - Pin
DavidAnson/markdownlint-cli2-actionto a specific commit SHA in the lint workflow.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/test.yml | Pins astral-sh/setup-uv to a commit SHA in both jobs. |
| .github/workflows/lint.yml | Pins markdownlint-cli2-action to a commit SHA. |
Comments suppressed due to low confidence (1)
.github/workflows/test.yml:42
- Same as above for the matrix job:
actions/checkoutandactions/setup-pythonare still referenced via mutable tags even though the PR description claims SHA pinning. Consider pinning them to commit SHAs, or update the PR description/scope accordingly.
- name: Checkout
uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v6
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
mnriem
left a comment
mnriem
left a comment
There was a problem hiding this comment.
Please address Copilot feedback
|
Good callout. The PR intentionally only pins third-party actions, not first-party actions under - Chris (dagecko) |
|
@mnriem just following up. I addressed the Copilot feedback in my comment above and updated the PR description to clarify the scope. Let me know if there is anything else needed.
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Thank you! |
Re-submission of #1985. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts any unsafe expressions from run blocks into env mappings.
How to verify
Review the diff, each change is mechanical and preserves workflow behavior:
action@v3becomesaction@abc123 # v3, original version preserved as commentI've been researching CI/CD supply chain attack vectors and submitting fixes to affected repos. Based on that research I built a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. I'll be posting more advisories over the next few weeks on Twitter if you want to stay in the loop.
If you have any questions, reach out. I'll be monitoring comms.
- Chris (dagecko)