ci: pin actions to commit SHAs and add shellcheck#3126
Open
PascalThuet wants to merge 3 commits into
Open
Conversation
Pin actions/github-script in catalog-assign.yml to a full commit SHA; all other workflows were already pinned. Add a repo-wide regression test that every workflow `uses:` ref is pinned to a 40-char commit SHA. Add a shellcheck job to lint.yml (--severity=error over scripts/bash/*.sh) and document the local command in CONTRIBUTING.md.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves CI/workflow supply-chain hygiene by ensuring GitHub Actions are pinned to immutable commit SHAs, adds a regression test to enforce that policy, and introduces a ShellCheck lint job for the repo’s Bash scripts.
Changes:
- Pin
actions/github-scriptincatalog-assign.ymlto a full 40-char commit SHA. - Add
tests/test_github_workflows.pyto assert all workflowuses:references are pinned to commit SHAs. - Add a
shellcheckjob tolint.ymland document the local command inCONTRIBUTING.md.
Show a summary per file
| File | Description |
|---|---|
tests/test_github_workflows.py |
Adds a regression test to enforce SHA-pinned uses: refs across .github/workflows/*.yml(yaml). |
CONTRIBUTING.md |
Documents the local ShellCheck invocation consistent with the new CI job. |
.github/workflows/lint.yml |
Introduces a new ShellCheck job to lint scripts/bash/*.sh in CI. |
.github/workflows/catalog-assign.yml |
Pins actions/github-script to a full commit SHA to reduce supply-chain risk. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 1
mnriem
requested changes
Jun 23, 2026
mnriem
left a comment
mnriem
left a comment
Collaborator
There was a problem hiding this comment.
Please address Copilot feedback
Contributor
Author
|
Addressed the Copilot finding: the |
Assisted-by: Codex (model: GPT-5, autonomous)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of splitting #2442 into smaller, dedicated PRs (per maintainer request). This is the first, dependency-free slice: workflow hygiene only, no runtime code changes.
What
actions/github-scriptincatalog-assign.ymlto a full commit SHA (3a2844b…# v9). All other workflows were already pinned.tests/test_github_workflows.py: a repo-wide regression test asserting everyuses:ref is pinned to a 40-char commit SHA.shellcheckjob tolint.yml(--severity=erroroverscripts/bash/*.sh).CONTRIBUTING.md.Why
Unpinned actions are a supply-chain risk: a moved tag can change the executed code. The shellcheck job catches real bugs in committed bash scripts.
Validation
tests/test_github_workflows.pypasses (12 workflows scanned, all pinned).shellcheck --severity=error scripts/bash/*.shruns in CI.Split from #2442. No dependency on the other split PRs.