Skip to content

chore: pin GitHub Actions to SHA for supply chain security#2

Closed
luis-hong wants to merge 14 commits into
masterfrom
chore/pin-github-actions-sha
Closed

chore: pin GitHub Actions to SHA for supply chain security#2
luis-hong wants to merge 14 commits into
masterfrom
chore/pin-github-actions-sha

Conversation

@luis-hong

Copy link
Copy Markdown

Summary

This PR pins GitHub Actions to specific commit SHAs instead of mutable tags/branches to improve supply chain security.

Changes

  • .github/workflows/benchmarking.yml: pinned 1 action(s)
  • .github/workflows/release.yml: pinned 1 action(s)

Why?

Mutable references (@v2, @main) can be changed by upstream maintainers at any time. SHA pinning ensures reproducible builds and protects against supply chain attacks.

References

@coderabbitai

coderabbitai Bot commented Feb 20, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@luis-hong has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 0 minutes and 17 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b295e20 and 3a25d30.

📒 Files selected for processing (12)
  • .github/workflows/benchmarking.yml
  • .github/workflows/build.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/format-code.yml
  • .github/workflows/integration-tests.yml
  • .github/workflows/lint.yml
  • .github/workflows/profile-data-generator.yml
  • .github/workflows/release.yml
  • .github/workflows/saucelabs-UI-tests.yml
  • .github/workflows/security-check.yaml
  • .github/workflows/test.yml
  • .github/workflows/testflight.yml

Walkthrough

GitHub 워크플로 파일 두 개에서 작업(action) 참조를 버전 태그에서 특정 커밋 해시로 변경했습니다. benchmarking.yml에서는 getsentry/action-app-sdk-overhead-metrics@v1을 커밋 해시로 바꾸었고, release.yml에서는 getsentry/action-prepare-release@v1을 커밋 해시로 변경했습니다. 입력 매개변수와 제어 흐름은 변경되지 않았습니다.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning PR 설명이 주요 내용을 포함하고 있으나 제공된 템플릿의 필수 섹션이 대부분 누락되어 있습니다. Motivation and Context, How did you test it?, Checklist, Next steps 등 템플릿의 필수 섹션을 추가하여 완성도를 높여주세요.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed 제목이 주요 변경사항을 명확하게 요약하고 있습니다. GitHub Actions을 SHA로 고정하는 공급망 보안 개선 작업을 정확히 설명합니다.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore/pin-github-actions-sha

Comment @coderabbitai help to get the list of available commands and usage tips.


jobs:
security-check:
uses: Buzzvil/workflows/.github/workflows/security-check.yaml@main

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • 🚫 Please pin the action by specifying a commit SHA instead of a tag/branch.

@github-actions

github-actions Bot commented Feb 23, 2026

Copy link
Copy Markdown
Fails
🚫 Please consider adding a changelog entry for the next release.

Instructions and example for changelog

Please add an entry to CHANGELOG.md to the "Unreleased" section. Make sure the entry includes this PR's number.

Example:

## Unreleased

- pin GitHub Actions to SHA for supply chain security ([#2](https://github.com/Buzzvil/sentry-cocoa/pull/2))

If none of the above apply, you can opt out of this check by adding #skip-changelog to the PR description or adding a skip-changelog label.

Generated by 🚫 dangerJS against 3a25d30

@luis-hong

Copy link
Copy Markdown
Author

외부 fork 저장소는 SHA 핀닝 일괄 적용 대상에서 제외합니다.

사유: fork 저장소는 org self-hosted runner 접근 제한 및 private reusable workflow 호출 제한으로 security-check CI가 정상 동작하지 않습니다. 필요 시 개별 대응합니다.

@luis-hong luis-hong closed this Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant