Skip to content

Pin GitHub Actions to commit SHAs in release workflow #10021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 4 commits into from
Jan 15, 2026
Merged

Pin GitHub Actions to commit SHAs in release workflow #10021

pelikhan merged 4 commits into from
Jan 15, 2026
+119 −42

Conversation

Copy link
Contributor

Copilot AI commented Jan 15, 2026
edited
Loading

The release workflow used tag-based action references (@v5, @v6) vulnerable to supply chain attacks via tag hijacking or compromised maintainer accounts.

Changes

Pinned all 10 actions (14 instances) to immutable commit SHAs with version comments:

Before:

- uses: actions/checkout@v5
- uses: docker/metadata-action@v6
- uses: anchore/sbom-action@v0.20.10

After:

- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: docker/metadata-action@c299e40ca79d9ee606ef6f4365af95e9a7ca7f9f # v5.10.0
- uses: anchore/sbom-action@fbfd9c6c0a5723f5b15376258af3142b3d6a83bb # v0.20.10

Actions Pinned

  • actions/checkout@v5 → v5.0.0 (3×)
  • cli/gh-extension-precompile@v2 → v2.1.0
  • actions/setup-go@v6 → v6.0.0
  • anchore/sbom-action@v0.20.10 (3×)
  • actions/upload-artifact@v6 → v6.0.0
  • docker/setup-buildx-action@v3 → v3.12.0
  • docker/login-action@v3 → v3.6.0
  • docker/metadata-action@v6 → v5.10.0 (v6 doesn't exist)
  • docker/build-push-action@v6
  • actions/attest-build-provenance@v2 → v2.4.0

Verification

Zizmor security scan confirms no unpinned-uses warnings remain.

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix unpinned action reference in release.md workflow</issue_title>
<issue_description>## Objective

Pin the unpinned action reference to a specific commit SHA in .github/workflows/release.md to prevent supply chain security vulnerabilities.

Context

Severity: High
Tool: zizmor
Issue: Actions referenced by tag instead of commit SHA can be compromised
Reference: https://docs.zizmor.sh/audits/#unpinned-uses

Unpinned action references pose a supply chain security risk. If an action maintainer's account is compromised or a tag is moved, malicious code could be injected into the workflow.

Approach

  1. Review .github/workflows/release.md to identify the unpinned action
  2. Look up the current commit SHA for the action version being used
  3. Replace the tag-based reference (e.g., @v1) with commit SHA (e.g., @abc123...)
  4. Add a comment indicating what version the SHA corresponds to
  5. Optionally configure Dependabot to keep pinned actions updated

Files to Modify

  • .github/workflows/release.md

Example Fix

Before:

- uses: actions/checkout@v4

After:

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

Acceptance Criteria

  • Action reference is pinned to a specific commit SHA
  • Comment added indicating the version the SHA corresponds to
  • Workflow compiles successfully with make recompile
  • Zizmor scan no longer reports unpinned-uses for release.md
  • No functionality is broken by the change

Testing

# Verify the workflow compiles
make build
./gh-aw compile .github/workflows/release.md

# Run zizmor to verify the fix
zizmor .github/workflows/release.lock.yml

Related to #9990

AI generated by Plan Command for discussion #9966

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits January 15, 2026 03:28
@mnkiefer
Initial plan for fixing unpinned action references in release.md
534c9b3 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Pin all action references in release.md to commit SHAs
04c0b25 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Complete fix for unpinned action references
c8af4dc 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix unpinned action reference in release.md workflow Pin GitHub Actions to commit SHAs in release workflow Jan 15, 2026
Copilot AI requested a review from mnkiefer January 15, 2026 03:41
@pelikhan pelikhan marked this pull request as ready for review January 15, 2026 04:19
@pelikhan pelikhan merged commit 0d64ec4 into main Jan 15, 2026
@pelikhan pelikhan deleted the copilot/fix-unpinned-action-reference branch January 15, 2026 04:19
@github-actions github-actions bot mentioned this pull request Jan 15, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Fix unpinned action reference in release.md workflow

3 participants

@pelikhan @mnkiefer