Skip to content

ci: pin GitHub Actions to SHA hashes of latest release versions#3115

Merged
igaw merged 1 commit intomasterfrom
copilot/update-dependency-versioning
Feb 26, 2026
Merged

ci: pin GitHub Actions to SHA hashes of latest release versions#3115
igaw merged 1 commit intomasterfrom
copilot/update-dependency-versioning

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 26, 2026

Mutable version tags (e.g. @v6) can be silently redirected to a different commit, creating an undetected supply-chain attack vector. Pin every uses: reference to the immutable commit SHA of the latest release in its major version series, with the version tag kept as a trailing comment.

Changes

  • All workflow files (build.yml, checkpatch.yml, codeql.yml, coverage.yml, docs.yaml, release.yml, upload.yml, coverity.yml, libnvme-release.yml, libnvme-release-python.yml, run-nightly-tests.yml): replace tag-based action refs with full SHAs
  • actions/upload-artifact: standardised on v6.0.0 across all workflows (coverity was on v5.0.0)
# before
- uses: actions/checkout@v6

# after
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

SHA → version mapping

Action SHA Version
actions/checkout de0fac2e v6.0.2
actions/upload-artifact b7c566a7 v6.0.0
actions/download-artifact 37930b1c v7.0.0
actions/upload-release-asset e8f9f06c v1.0.2
docker/setup-qemu-action c7c53464 v3.7.0
docker/login-action c94ce9fb v3.7.0
mosteo-actions/docker-run 4824fd41 branch v2
webispy/checkpatch-action 58374fe5 v9
github/codeql-action 89a39a4e v4.32.4
codecov/codecov-action 671740ac v5.5.2
ncipollo/release-action b7eabc95 v1.20.0
sand4rt/ftp-deployer 518beaad v1.8
pypa/gh-action-pypi-publish ed0c5393 v1.13.0

The existing dependabot.yml already tracks github-actions and will open PRs to bump these SHAs as new releases are published.


💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI changed the title [WIP] Change default behavior of depbot to use SHA versions ci: pin GitHub Actions to immutable SHA refs Feb 26, 2026
Copilot AI changed the title ci: pin GitHub Actions to immutable SHA refs ci: pin GitHub Actions to SHA hashes of latest release versions Feb 26, 2026
@igaw igaw force-pushed the copilot/update-dependency-versioning branch 4 times, most recently from d93f4de to e8a9a12 Compare February 26, 2026 15:41
Replace mutable version tags (e.g. @v6) with the commit SHA of
the latest release in each major version series, keeping the tag
as a trailing comment for readability.  This prevents a compromised
or moved tag from silently changing what code executes in CI.

While at it, replace the unmaintained mosteo-actions/docker-run action
with a direct docker run command.

Signed-off-by: Daniel Wagner <[email protected]>
@igaw igaw force-pushed the copilot/update-dependency-versioning branch from e8a9a12 to fb34708 Compare February 26, 2026 15:42
@igaw igaw marked this pull request as ready for review February 26, 2026 15:43
@igaw igaw merged commit ab2f610 into master Feb 26, 2026
18 checks passed
@igaw igaw deleted the copilot/update-dependency-versioning branch February 26, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants