Skip to content

Pin GitHub Actions to commit SHAs#919

Merged
ashwin-ant merged 2 commits intomainfrom
devsec/pin-actions
May 6, 2026
Merged

Pin GitHub Actions to commit SHAs#919
ashwin-ant merged 2 commits intomainfrom
devsec/pin-actions

Conversation

@jportner-ant
Copy link
Copy Markdown
Contributor

@jportner-ant jportner-ant commented May 5, 2026

Pin third-party GitHub Actions references to immutable commit SHAs.

@jportner-ant jportner-ant force-pushed the devsec/pin-actions branch from fb22ea1 to 0359cec Compare May 6, 2026 03:59
@jportner-ant
fix(claude.yml): merge duplicate claude_args keys
d079f31 
The with: block had two claude_args keys (lines 48 and 57), which is
invalid YAML — both ruamel and GitHub Actions reject it. The workflow
has been failing to parse since #556 (2026-02-07). Merge both intended
values (--model and --allowed-tools) into a single block scalar.
@jportner-ant
Copy link
Copy Markdown
Contributor Author

jportner-ant commented May 6, 2026

Note on .github/workflows/claude.yml change in d079f31

Why this change is in a SHA-pinning PR: claude.yml had duplicate claude_args keys (introduced in #556), which is invalid YAML — GitHub Actions has been rejecting this file since 2026-02-07 (~1,759 parse-failure runs; the @claude workflow has not run since). Our pin tool also can't parse it, so it was being skipped. This commit merges the two intended values into one block scalar so (a) the workflow works again and (b) the file can be processed by sec github pin-actions (it now scans cleanly — only actions/* and anthropics/* refs, nothing to pin).

cc @ashwin-ant @ant-kurt

@jportner-ant jportner-ant marked this pull request as ready for review May 6, 2026 16:10
@jportner-ant jportner-ant requested a review from ashwin-ant May 6, 2026 16:11
@ashwin-ant ashwin-ant merged commit 3c08a3a into main May 6, 2026
12 checks passed
@ashwin-ant ashwin-ant deleted the devsec/pin-actions branch May 6, 2026 16:11
claude[bot]
claude Bot reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical SHA pins plus a fix for the duplicate claude_args key that was breaking the workflow parse.

Extended reasoning...

Overview

This PR touches four GitHub Actions workflow files. Two of the changes (pypi-quota-check.yml, slack-issue-notification.yml) are comment-only — the slackapi/slack-github-action reference was already pinned to SHA 91efab1…, and only the trailing annotation changed from # 2.1.1 to # v2.1.1 (sha-pinned). In test.yml, codecov/codecov-action is pinned from the mutable v4 tag to commit b9fd7d16… (v4.6.0). In claude.yml, two duplicate claude_args keys are merged into a single block scalar so the file is valid YAML again; the merged value is exactly the union of the two prior values (--model + --allowed-tools), with no new flags introduced.

Security risks

None identified. This is a security-hardening change: replacing a mutable tag with an immutable SHA reduces supply-chain risk. No new third-party actions are introduced, no permissions blocks are widened, and no secrets handling is altered. The claude.yml fix does not change the allowed-tools surface — it just makes the previously-intended config actually load.

Level of scrutiny

Low. Two files have zero functional diff. The codecov pin is a tool-generated, widely-used pinning pattern with fail_ci_if_error: false, so even a bad pin would only drop coverage uploads rather than break CI. The claude.yml change is restoring a workflow that has been failing to parse for months; the author's timeline note explains the rationale clearly and the merged block scalar is the obvious correct resolution.

Other factors

No CODEOWNERS file in the repo. No bugs flagged by the bug-hunting system. No outstanding reviewer requests. The change set is small, self-contained, and follows the established pattern already present in the slack workflow files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@ashwin-ant ashwin-ant ashwin-ant approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jportner-ant @ashwin-ant