Skip to content

ci: Bump and pin GitHub Actions layers#219

Merged
david-crespo merged 2 commits into
mainfrom
ci_actions_updates
Jun 30, 2026
Merged

ci: Bump and pin GitHub Actions layers#219
david-crespo merged 2 commits into
mainfrom
ci_actions_updates

Conversation

@notpeter

@notpeter notpeter commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Pin GitHub actions to full sha1 hashes rather than refs (v3, etc) because the latter are unstable and can change.

For example, these three all currently point to actions/checkout@9c091bb

The first one will change (updated tag forced pushed to replace old tag)
The second one could change
The third one will never change

For any 3rd party action we should absolutely pin because one tag force push with compromised credentials and we'd be running arbitrary code.

If an actions repos adopted Immutable Releases we could safely use the @v7.0.0 style pin, but none of the first party actions/* repos have done so as it would mean that they could no longer publish tags like v7. See:

The format of putting the tag in a trailing comment matches that of renovate. This repo is not currently configured for renovate, although I think that would be reasonable to do in the future.

@vercel

vercel Bot commented Jun 26, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rfd-site Ready Ready Preview Jun 26, 2026 5:50pm

Request Review

@david-crespo

Copy link
Copy Markdown
Contributor

I'd like to see a line either here or in a comment in the code about why we pin commits instead of versions.

@notpeter

Copy link
Copy Markdown
Contributor Author

I'd like to see a line either here or in a comment in the code about why we pin commits instead of versions.

I wrote up a proper description with my thinking above.

Ideally I would like to add renovate to this repository and configure it to auto-merge PRs for actions from whitelisted repositories (actions/*). Ideally those PRs would be delayed with some cooling off period (+72hours) as well.

It's probably worth updating RFD 434: Using Renovate for dependency management or writing a new RFD with best practices for using Renovate.

@david-crespo

Copy link
Copy Markdown
Contributor

Great, thanks. So we should probably do this in every repo, and most importantly in repos where CI uses secrets.

@david-crespo david-crespo merged commit bf63c53 into main Jun 30, 2026
4 checks passed
@david-crespo david-crespo deleted the ci_actions_updates branch June 30, 2026 23:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants