Skip to content

Pin GitHub actions to SHAs instead of versions #2171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 15, 2025
Merged

Pin GitHub actions to SHAs instead of versions #2171

merged 1 commit into from
Sep 15, 2025

Conversation

westonruter
Copy link
Member

@westonruter westonruter commented Sep 14, 2025
edited
Loading

See discussion with @thelovekesh at #1838 (comment):

My recommendation would be to pin it to a specific SHA for better security.
[...]
Also, in core, it's very rare for maintainers to allow third-party actions, and when they do, they always pin to a specific SHA to mitigate potential security risks.
[...]
By default, pin to the SHA of a version that was published at least a week ago. This provides ample time to detect if the action has been compromised.

Note that Gutenberg's workflows all have actions pinned to SHAs.

I used Gemini CLI to do this for me, using the prompt:

I want to update the GitHub actions in .github use SHA pinning instead of just referencing the version. I want the version to be in a comment after the sha

@westonruter @gemini-code-assist
Pin GitHub actions to SHAs
e707863 
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
@westonruter westonruter added the [Type] Enhancement A suggestion for improvement of an existing feature label Sep 14, 2025
@westonruter westonruter added no milestone PRs that do not have a defined milestone for release dependencies Pull requests that update a dependency file labels Sep 14, 2025
@westonruter westonruter mentioned this pull request Sep 14, 2025
Open
@codecov Codecov
Copy link

codecov bot commented Sep 14, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.81%. Comparing base (440216b) to head (e707863).
⚠️ Report is 2 commits behind head on trunk.

Additional details and impacted files 
@@           Coverage Diff           @@
##            trunk    #2171   +/-   ##
=======================================
  Coverage   68.81%   68.81%           
=======================================
  Files          90       90           
  Lines        8006     8006           
=======================================
  Hits         5509     5509           
  Misses       2497     2497
Flag Coverage Δ
multisite 68.81% <ø> (ø)
single 35.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 14, 2025
edited
Loading

The following accounts have interacted with this PR and/or linked issues. I will continue to update these lists as activity occurs. You can also manually ask me to refresh this list by adding the props-bot label.

If you're merging code through a pull request on GitHub, copy and paste the following into the bottom of the merge commit message.

Co-authored-by: westonruter <[email protected]>
Co-authored-by: mukeshpanchal27 <[email protected]>

To understand the WordPress project's expectations around crediting contributors, please review the Contributor Attribution page in the Core Handbook.

westonruter
westonruter commented Sep 14, 2025
View reviewed changes
.github/workflows/props-bot.yml

- name: Remove the props-bot label
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For this one, the tag is in fact v8 but the release name is v8.0.0: https://github.com/actions/github-script/releases/tag/v8

@westonruter westonruter added the skip changelog PRs that should not be mentioned in changelogs label Sep 14, 2025
@mukeshpanchal27 mukeshpanchal27 merged commit d1aca43 into trunk Sep 15, 2025
34 checks passed
@mukeshpanchal27 mukeshpanchal27 deleted the update/workflow-sha-pinning branch September 15, 2025 04:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mukeshpanchal27 mukeshpanchal27 mukeshpanchal27 approved these changes

@felixarntz felixarntz Awaiting requested review from felixarntz felixarntz is a code owner

@thelovekesh thelovekesh Awaiting requested review from thelovekesh thelovekesh is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file no milestone PRs that do not have a defined milestone for release skip changelog PRs that should not be mentioned in changelogs [Type] Enhancement A suggestion for improvement of an existing feature

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@westonruter @mukeshpanchal27