Skip to content

Conversation

juliendoutre
Copy link

🔒 Security Enhancement: GitHub Actions Pinning

📋 What This PR Does

This PR automatically pins GitHub Actions references from tag-based versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...) while preserving the original tag as a comment for readability.
No functional changes to your workflows - they'll work exactly the same way

🎯 Why This Matters

Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.

🤖 Keep Actions Updated with Dependabot

Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:

Create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    open-pull-requests-limit: 10
    commit-message:
      prefix: "chore"
      include: "scope"

This will:

  • 🔄 Check for action updates weekly
  • 📬 Create PRs automatically when newer versions are available
  • 🏷️ Update both the SHA hash and the comment with the new tag
  • 🎯 Keep your actions secure AND up-to-date

🤝 Questions or Concerns?

For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.


This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.

@juliendoutre juliendoutre requested review from a team as code owners August 18, 2025 11:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant