Pin GitHub Actions dependencies by commit hash #482
Conversation
Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
|
@copilot please check, I think: advanced-security/maven-dependency-submission-action@v5 → b275d12641ac2d2108b2cbb7598b154ad2f2cee8 and github/codeql-action → b20883b0cd1f46c72ae0ba6d1090936928f9fa30 could you verify my thoughts in someway?as a miniumum perpaps you can check that my suggestions are tagged. |
For github/codeql-action@v4 and advanced-security/maven-dependency-submission-action@v5,
the previous commit used the annotated tag object hash instead of the actual commit hash.
This corrects them to use the dereferenced commit hashes (tag^{}).
Co-authored-by: thomasturrell <1552612+thomasturrell@users.noreply.github.com>
You're absolutely correct! Both actions use annotated tags, and I mistakenly used the tag object hash instead of the actual commit hash. Fixed in commit 8b77829:
The issue: these two actions use annotated tags (git objects that point to commits), while the other actions use lightweight tags (direct commit references). For annotated tags, we need the dereferenced commit hash (tag^{}), not the tag object itself. |
|
There was a problem hiding this comment.
Pull request overview
This PR enhances supply chain security by pinning all GitHub Actions dependencies to immutable commit hashes instead of mutable version tags. This prevents potential security risks from tags being moved to point at malicious commits.
Changes:
- All GitHub Actions dependencies across 7 workflow files have been pinned to commit hashes
- Version tags preserved as inline comments for maintainability and readability
- Commit hashes properly dereferenced from annotated git tags where applicable
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/stale.yml |
Pinned actions/stale@v10 to commit hash |
.github/workflows/maven_push.yml |
Pinned actions/checkout@v6, actions/setup-java@v5, and advanced-security/maven-dependency-submission-action@v5 to commit hashes |
.github/workflows/maven_pull_request.yml |
Pinned actions/checkout@v6 and actions/setup-java@v5 to commit hashes |
.github/workflows/manual-release.yml |
Pinned actions/create-github-app-token@v2, actions/checkout@v6, and actions/setup-java@v5 to commit hashes |
.github/workflows/dependabot-auto-approve-merge.yml |
Pinned dependabot/fetch-metadata@v2 to commit hash |
.github/workflows/copilot-setup-steps.yml |
Pinned actions/checkout@v6 and actions/setup-java@v5 to commit hashes |
.github/workflows/codeql.yml |
Pinned actions/checkout@v6, actions/setup-java@v5, and all github/codeql-action/*@v4 sub-actions to commit hashes |
Description
GitHub Actions version tags are mutable - they can be moved to point at different commits, creating a supply chain security risk. This pins all action dependencies to immutable commit hashes.
Changes
All workflow files updated to use commit hashes with version preserved as inline comments:
actions/checkout@v6→@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6actions/setup-java@v5→@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5github/codeql-action/*@v4→@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4dependabot/fetch-metadata@v2→@21025c705c08248db411dc16f3619e6b5f9ea21a # v2actions/stale@v10→@997185467fa4f803885201cee163a9f38240193d # v10actions/create-github-app-token@v2→@29824e69f54612133e76f7eaac726eef6c875baf # v2advanced-security/maven-dependency-submission-action@v5→@b275d12641ac2d2108b2cbb7598b154ad2f2cee8 # v5Hashes resolved via
git ls-remoteagainst each action's repository tags. For actions using annotated git tags (github/codeql-action and advanced-security/maven-dependency-submission-action), the commit hashes are dereferenced from the tag objects (tag^{}) to reference the actual commits rather than the tag objects themselves.Checklist:
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.