From 680b2b54b75af0630edd5ddb2ab70097c1765796 Mon Sep 17 00:00:00 2001 From: Dan Potepa Date: Wed, 8 Jul 2026 16:50:54 +0100 Subject: [PATCH] Pin versions of GitHub Actions to full commit hash ## What? This PR pins versions of GitHub Actions to full commit hash by pinact. In general, this PR doesn't change the behavior of the workflows, so you can merge this safely. ## Why? A while ago, the popular GitHub Action tj-actions/changed-files action was compromised. - https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/ - https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised All tags were tampered and they pointed to a revision with malicious code. The issue was solved, but similar issues could happen again. To avoid this kind of issues, we should pin versions of GitHub Actions. This is a common practice of GitHub Actions. https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions > Pin actions to a full length commit SHA > Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. > Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. > When selecting a SHA, you should verify it is from the action's repository and not a repository fork. ## How was this pull request created? This pull request was created by [pinact](https://github.com/suzuki-shunsuke/pinact) and [multi-gitter](https://github.com/lindell/multi-gitter). ## Deadling We will be turning on a global setting that will ENFORCE that all actions can only use pinned versions, if others are in use, the workflow will fail ## Contact If you have any question, please ask at the Slack channel #tech-platform --- .github/workflows/build-and-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 167e648..782738b 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -16,10 +16,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -43,7 +43,7 @@ jobs: run: npm run build - name: Upload coverage - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@fb8b3582c8e4def4969c97caa2f19720cb33a72f # v7.0.0 if: matrix.node-version == '20.x' with: files: ./coverage/lcov.info