Pin third-party actions to full-length commit SHAs#5
Merged
Conversation
Replace floating tag references (e.g. `@v6`) in `action.yml` and the release / test workflows with full-length commit SHAs, keeping the resolved semver in a trailing comment so Dependabot can continue to update both the SHA and the comment in lockstep. Rationale: - Composite-action consumers running under "SHA pin required" GitHub Actions policies cannot use `bm-action` while internal `uses:` steps reference mutable tags; pinning unblocks those environments. - GitHub's "Secure use reference" recommends pinning third-party actions to a full-length commit SHA because tags are mutable and can be moved to point at malicious commits. Resolved versions: - actions/github-script v9.0.0 - marocchino/sticky-pull-request-comment v3.0.4 - actions/checkout v6.0.2 - actions/setup-node v6.4.0 - softprops/action-gh-release v3.0.0 - ludeeus/action-shellcheck 2.0.0
|
mock sync output |
|
mock sync output |
|
mock sync output |
|
mock sync output |
m-shaka
approved these changes
May 27, 2026
yebis0942
approved these changes
May 27, 2026
This was referenced May 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pin every third-party
uses:reference inaction.yml,.github/workflows/test.yml, and.github/workflows/release.ymlto a full-length commit SHA, keeping the resolved semver in a trailing comment (# vX.Y.Z).Why
uses:steps inside a composite action'saction.ymlas well. Floating tag references such as@v3/@v6cause those environments to refuse to runbm-action. Pinning here unblocks them without requiring any change on the consumer side.github-actionsecosystem on a weekly schedule) recognises the<SHA> # <semver>convention and updates both the SHA and the comment together, so ongoing maintenance is unchanged.Resolved versions
actions/github-script3a2844b7e9c422d3c10d287c895573f7108da1b3v9.0.0marocchino/sticky-pull-request-comment0ea0beb66eb9baf113663a64ec522f60e49231c0v3.0.4actions/checkoutde0fac2e4500dabe0009e67214ff5f5447ce83ddv6.0.2actions/setup-node48b55a011bda9f5d6aeb4c2d9c7362e8dae4041ev6.4.0softprops/action-gh-releaseb4309332981a82ec1c5618f44dd2e27cc8bfbfdav3.0.0ludeeus/action-shellcheck00cae500b08a931fb5698e11e79bfbd38e612a382.0.0All floating tags were resolved against the upstream repositories at the time of this change and verified to point at the same commit as the listed semver tag (no behavioural change).
Test plan
Testworkflow (bats / ShellCheck / integration on ubuntu+macOS / cli-install on ubuntu+macOS) passes on this PRgrep -E 'uses: .+@' action.yml .github/workflows/*.ymlshows every external reference in<owner>/<repo>@<40-char-sha> # <semver>form (the only exceptions being the localuses: ./calls intest.yml)🤖 Generated with Claude Code