Skip to content

Pin GitHub Actions to commit SHAs per Kubernetes security policy#299

Merged
k8s-ci-robot merged 1 commit intomasterfrom
copilot/pin-github-actions-to-sha
Apr 16, 2026
Merged

Pin GitHub Actions to commit SHAs per Kubernetes security policy#299
k8s-ci-robot merged 1 commit intomasterfrom
copilot/pin-github-actions-to-sha

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026

Mutable version tags (e.g. @v4) in GitHub Actions can be silently redirected to arbitrary commits, enabling supply chain attacks. Kubernetes policy requires pinning third-party actions to immutable commit SHAs.

Changes

  • .github/workflows/tests.yml: Replace floating version tags with full commit SHAs; version tags retained as inline comments for readability
Action Before After
actions/checkout @v4 @34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
actions/setup-python @v5 @a26af69be951a213d495a4c3e4e4022e16d87065 # v5

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 16, 2026
@brendandburns brendandburns marked this pull request as ready for review April 16, 2026 20:33
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 16, 2026
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 16, 2026
@brendandburns
Copy link
Copy Markdown
Contributor

brendandburns commented Apr 16, 2026

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 16, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented Apr 16, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, Copilot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 16, 2026
@k8s-ci-robot k8s-ci-robot merged commit 215d5a5 into master Apr 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yliaog yliaog Awaiting requested review from yliaog

@yue9944882 yue9944882 Awaiting requested review from yue9944882

@brendandburns brendandburns Awaiting requested review from brendandburns

Assignees

@brendandburns brendandburns

Copilot code review Copilot

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brendandburns @k8s-ci-robot