Skip to content

chore: pin GitHub Actions to full-length commit SHAs#4239

Closed
joshuarli wants to merge 1 commit intomasterfrom
pin-gha-actions
Closed

chore: pin GitHub Actions to full-length commit SHAs#4239
joshuarli wants to merge 1 commit intomasterfrom
pin-gha-actions

Conversation

@joshuarli
Copy link
Member

@joshuarli joshuarli commented Mar 23, 2026

Summary

  • Pin all GitHub Actions references in .github/ workflow files to full-length commit SHAs

Generated by devenv pin_gha.

🤖 Generated with Claude Code

@github-actions
Copy link

github-actions bot commented Mar 23, 2026

Changelog Preview

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

New Features ✨

  • Remove 'vroom-cleanup' container by aldy505 in #4217

Internal Changes 🔧

Deps

  • Bump getsentry/craft from 2.23.2 to 2.24.1 by dependabot in #4221
  • Bump astral-sh/setup-uv from 7.2.1 to 7.5.0 by dependabot in #4220

Other

  • Pin GitHub Actions to full-length commit SHAs by joshuarli in #4239

🤖 This preview updates automatically when you update the PR.

@joshuarli joshuarli requested a review from a team March 23, 2026 19:43
BYK
BYK requested changes Mar 23, 2026
View reviewed changes
Copy link
Member

@BYK BYK left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

changelog preview should stay on the tag

.github/workflows/changelog-preview.yml
jobs:
changelog-preview:
uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2
uses: getsentry/craft/.github/workflows/changelog-preview.yml@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2
Copy link
Member

@BYK BYK Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
uses: getsentry/craft/.github/workflows/changelog-preview.yml@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2
uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2

BYK
BYK reviewed Mar 23, 2026
View reviewed changes
.github/workflows/lock.yml
runs-on: ubuntu-latest
steps:
- uses: getsentry/forked-action-lock-threads@master
- uses: getsentry/forked-action-lock-threads@486f7380c15596f92b724e4260e4981c68d6bde6 # master
Copy link
Member

@BYK BYK Mar 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's also a bit silly to pin this to a SHA. We should lock down its permissions instead.

Copy link
Collaborator

@aminvakil aminvakil Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not do both?

@aldy505
Copy link
Collaborator

aldy505 commented Mar 25, 2026

@aminvakil FYI internally, there is a Slack thread that's disagreeing on this whole GitHub Actions pinning organization-wide, specifically for actions from getsentry org. @BYK argues that he finds it okay with pinning actions made by external parties other than getsentry and actions github org.

I agree with what Burak said and want to change that for self-hosted. Majority of it because of noisy Dependabot PRs. Here's the Slack convo AI summary for the thread:

image

@aldy505
Copy link
Collaborator

aldy505 commented Mar 25, 2026

I'll drop this PR in 8 hours...

@aminvakil
Copy link
Collaborator

aminvakil commented Mar 25, 2026

Gotcha.

@aldy505 aldy505 closed this Mar 25, 2026
@aldy505 aldy505 deleted the pin-gha-actions branch March 25, 2026 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BYK BYK BYK requested changes

@hubertdeng123 hubertdeng123 hubertdeng123 approved these changes

@geoffg-sentry geoffg-sentry geoffg-sentry approved these changes

+1 more reviewer

@aminvakil aminvakil aminvakil left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

Self-hosted Sentry
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@joshuarli @aldy505 @aminvakil @BYK @hubertdeng123 @geoffg-sentry