[SINT-3848] 🔒 Pin GitHub Actions to specific SHA versions for enhanced security #2774
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🔒 Security Enhancement: GitHub Actions Pinning
📋 What This PR Does
This PR automatically pins GitHub Actions references from tag-based versions (e.g.,
@v4
) to their corresponding SHA hashes (e.g.,@abc123...
) while preserving the original tag as a comment for readability.No functional changes to your workflows - they'll work exactly the same way
🎯 Why This Matters
Supply Chain Security: Pinning GitHub Actions to specific SHA hashes prevents supply chain security and reliability risks because git tags are mutable and can be moved to point to different commits by malicious actors or maintainers, potentially introducing vulnerabilities or breaking changes into workflows.
🤖 Keep Actions Updated with Dependabot
Now that your actions are pinned to SHA hashes, you can enable Dependabot to automatically create PRs when new versions are available. Add this configuration to your repository:
Create or update
.github/dependabot.yml
:This will:
🤝 Questions or Concerns?
For any questions about this security enhancement, please reach out to the SDL Security team in the #sdlc-security Slack channel.
This PR was automatically generated by the GitHub Actions Pinning Tool as part of our ongoing security improvements.