Pin GitHub Actions to full-length commit SHAs#759
Conversation
|
@OssSecurityBot please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.
Contributor License AgreementContribution License AgreementThis Contribution License Agreement (“Agreement”) is agreed to by the party signing below (“You”),
|
There was a problem hiding this comment.
Pull request overview
This PR hardens the repo’s CI/CD configuration by pinning GitHub Actions to full-length commit SHAs (improving supply-chain security and build reproducibility) and updates Dependabot configuration for GitHub Actions with a 7-day cooldown.
Changes:
- Pinned third-party
uses:references in workflows to full-length commit SHAs with version comments. - Added a
github-actionsentry to.github/dependabot.yml, including grouping and a 7-daycooldown.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/validate-build.yml | Pins checkout/setup-dotnet/upload-artifact actions to full-length commit SHAs. |
| .github/workflows/prepare-release.yaml | Pins checkout action to a full-length commit SHA. |
| .github/workflows/codeQL.yml | Pins CodeQL init/analyze, checkout, and setup-dotnet actions to full-length commit SHAs. |
| .github/workflows/azure-functions-smoke-tests.yml | Pins checkout/setup-dotnet/upload-artifact actions to full-length commit SHAs. |
| .github/dependabot.yml | Adds Dependabot configuration for github-actions updates with grouping and a 7-day cooldown. |
| schedule: | ||
| interval: "weekly" | ||
| cooldown: | ||
| default-days: 7 |
Summary
This PR pins GitHub Actions to full-length commit SHAs for improved security and reproducibility and adds a 7 day cooldown to Dependabot configuration for GitHub Actions.
Why?
Pinning actions to commit SHAs prevents supply-chain attacks where a tag could be moved to point to malicious code. This is a recommended security best practice per the GitHub Actions security hardening guide.
This change mitigates the risk of tag retargeting to malicious code as seen in incidents like the tj-actions/changed-files action compromise or codfish/semantic-release-action compromise and improves the integrity and reproducibility of the CI/CD pipeline.
What changed?
Action pinning: Third-party action references in
.github/workflows/that used mutable tag-based references (e.g.,actions/checkout@v4) have been updated to full-length commit SHAs with a version comment (e.g.,actions/checkout@<sha> # v4) using the pinact tool. References that were already pinned to a SHA, or that used immutable release tags, were left unchanged.Dependabot configuration:
.github/dependabot.ymlhas been updated to ensure agithub-actionspackage-ecosystem section is present with acooldownconfiguration (default-days: 7). This groups Dependabot PRs for GitHub Actions and enforces a minimum 7-day cooldown between updates. If the file did not exist, it was created. If agithub-actionssection already existed, only thecooldownblock was added or itsdefault-daysvalue was increased to 7 if it was lower. The 7-day cooldown provides a window for the community to detect and report compromised releases before they are automatically proposed as updates, reducing exposure to supply-chain attacks via newly published malicious versions.Is this safe to merge?
Yes. The pinned SHAs correspond to the same commits that the existing tags pointed to. No behavioral changes are introduced. You can verify the pinned SHA value using the GitHub REST API (e.g., the commit hash for
actions/checkout@v7can be found in theshaproperty in the JSON response forGET https://api.github.com/repos/actions/checkout/commits/v7).For more information, visit https://aka.ms/action-pinning