Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

chore: pin GitHub Actions to commit SHAs#517

Open
BGos87 wants to merge 1 commit into
mainfrom
chore/pin-github-actions-20260512
Open

chore: pin GitHub Actions to commit SHAs#517
BGos87 wants to merge 1 commit into
mainfrom
chore/pin-github-actions-20260512

Conversation

@BGos87

@BGos87 BGos87 commented May 12, 2026

Copy link
Copy Markdown

Summary

Pin every uses: ref in .github/workflows/ (and any composite action
files) to a full 40-character commit SHA, with the original tag
preserved as a # vX comment.

Why

Tags and branches are mutable, so a compromised action can replace what
runs in our pipelines without changing the tag we reference. Pinning to
a SHA closes that supply-chain vector. See GitHub's hardening guide:
https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions.

Deadline

TechOps is enforcing SHA-pinned GitHub Actions across the org by
June 8, 2026.
Merging this PR brings the repo into compliance ahead
of the cut-over; after that date workflows that still reference
mutable tags or branches will be blocked from running.

How

Generated mechanically with pinact run.
No version bumps were applied (strict pin); follow-up upgrades can come
from Renovate or a separate pinact run -u PR.

Test plan

  • CI green on this branch

Note

Low Risk
Low risk: only updates GitHub Actions uses: references to SHA-pinned commits, but CI could break if any pinned SHA is incorrect or later revoked.

Overview
Pins all third-party GitHub Actions in .github/workflows/ to immutable 40-char commit SHAs (with the prior version tag kept as a comment) across CI, build/publish, release, security scanning, and test workflows.

No workflow logic changes are introduced; this is a supply-chain hardening update affecting checkout, Docker actions, artifact upload/download, Java setup, Codecov, upterm, Helm, and the MetaMask security scanner.

Reviewed by Cursor Bugbot for commit 7a2bd67. Bugbot is set up for automated code reviews on this repo. Configure here.

Pin every `uses:` ref in .github/workflows and composite actions to a
full 40-character commit SHA, with the original tag preserved as a
comment, e.g.

    uses: actions/checkout@11bd719 # v4

Tags and branches are mutable; commit SHAs are not. Pinning to a SHA
closes a supply-chain vector where a compromised action could replace
what runs in CI without changing the tag we reference.

Generated mechanically with `pinact run`
(https://github.com/suzuki-shunsuke/pinact). No version bumps were
applied (strict pin).
@codecov-commenter

Copy link
Copy Markdown

❌ 1 Tests Failed:

Tests completed Failed Passed Skipped
757 1 756 1
View the top 1 failed test(s) by shortest run time
maru.app.MaruMultiValidatorTest::block production continues with 1 node offline()
Stack Traces | 279s run time
org.awaitility.core.ConditionTimeoutException: Condition with Lambda expression in maru.app.MaruMultiValidatorTest was not fulfilled within 4 minutes.
	at org.awaitility.core.ConditionAwaiter.await(ConditionAwaiter.java:167)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:78)
	at org.awaitility.core.CallableCondition.await(CallableCondition.java:26)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1160)
	at org.awaitility.core.ConditionFactory.until(ConditionFactory.java:1129)
	at maru.app.MaruMultiValidatorTest.waitForConsecutiveRound0Blocks-KAdD7Dc(MaruMultiValidatorTest.kt:219)
	at maru.app.MaruMultiValidatorTest.block production continues with 1 node offline(MaruMultiValidatorTest.kt:382)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:511)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.tryRemoveAndExec(ForkJoinPool.java:1490)
	at java.base/java.util.concurrent.ForkJoinPool.helpJoin(ForkJoinPool.java:2248)
	at java.base/java.util.concurrent.ForkJoinTask.awaitDone(ForkJoinTask.java:499)
	at java.base/java.util.concurrent.ForkJoinTask.join(ForkJoinTask.java:669)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:511)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.tryRemoveAndExec(ForkJoinPool.java:1490)
	at java.base/java.util.concurrent.ForkJoinPool.helpJoin(ForkJoinPool.java:2248)
	at java.base/java.util.concurrent.ForkJoinTask.awaitDone(ForkJoinTask.java:499)
	at java.base/java.util.concurrent.ForkJoinTask.join(ForkJoinTask.java:669)
	at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:511)
	at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1450)
	at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:2019)
	at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:187)

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants