Skip to content

chore: pin GitHub Actions to full-length commit SHAs#1911

Open
joshuarli wants to merge 1 commit into
masterfrom
pin-gha-actions
Open

chore: pin GitHub Actions to full-length commit SHAs#1911
joshuarli wants to merge 1 commit into
masterfrom
pin-gha-actions

Conversation

@joshuarli
Copy link
Copy Markdown
Member

@joshuarli joshuarli commented Mar 23, 2026

Summary

  • Pin all GitHub Actions references in .github/ workflow files to full-length commit SHAs

Generated by devenv pin_gha.

🤖 Generated with Claude Code

@joshuarli joshuarli requested a review from a team as a code owner March 23, 2026 19:58
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 23, 2026
View reviewed changes
Comment thread .github/workflows/update-deps.yml
Comment on lines +12 to +17
uses: getsentry/github-workflows/.github/workflows/updater.yml@26f565c05d0dd49f703d238706b775883037d76b # v3
with:
path: crates/symbolicator-crash/sentry-native
name: Native SDK
secrets:
api-token: ${{ secrets.CI_DEPLOY_KEY }}

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {}

Copilot Autofix

AI 2 months ago

In general, the fix is to add an explicit permissions: block to the workflow (either at the top level to apply to all jobs, or within the specific job) that grants the minimal required permissions to GITHUB_TOKEN. For a dependency update workflow that primarily reads repository contents and likely opens or updates pull requests, a sensible minimal starting point is contents: read plus pull-requests: write if it needs to create/update PRs. If you are unsure, starting with read-only (contents: read) is the safest, and you can expand later if the workflow fails due to insufficient privileges.

For this specific file, the best way to fix the issue without changing functionality is to add a permissions: block at the workflow root (right below name:) so it applies to all jobs, including the reusable native job. A conservative, minimal and commonly recommended configuration is:

permissions:
  contents: read

If you know that the updater workflow needs to push branches or open PRs, you could instead use:

permissions:
  contents: write
  pull-requests: write

Since we must avoid guessing extra behavior, we’ll implement the minimal safe baseline of contents: read. Concretely, in .github/workflows/update-deps.yml, insert a permissions: block after line 1 (name: Update Dependencies) and before the on: block. No imports or additional definitions are needed.

Suggested changeset 1
.github/workflows/update-deps.yml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/update-deps.yml b/.github/workflows/update-deps.yml
--- a/.github/workflows/update-deps.yml
+++ b/.github/workflows/update-deps.yml
@@ -1,4 +1,6 @@
 name: Update Dependencies
+permissions:
+  contents: read
 
 on:
   # Run every Monday at 3am.
EOF
@@ -1,4 +1,6 @@
name: Update Dependencies
permissions:
contents: read

on:
# Run every Monday at 3am.
Copilot is powered by AI and may make mistakes. Always verify output.
loewenheim
loewenheim approved these changes Mar 24, 2026
View reviewed changes
Comment thread .github/workflows/update-deps.yml
Copy link
Copy Markdown
Contributor

@loewenheim loewenheim Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's with this diff? Only one line has changed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loewenheim loewenheim loewenheim approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@joshuarli @loewenheim @github-advanced-security