Skip to content

Pin GitHub Actions to commit SHAs; add Dependabot config#87

Merged
mbarton merged 1 commit into
livefrom
85-update-and-pin-github-actions
Jun 3, 2026
Merged

Pin GitHub Actions to commit SHAs; add Dependabot config#87
mbarton merged 1 commit into
livefrom
85-update-and-pin-github-actions

Conversation

@pacharanero

@pacharanero pacharanero commented Jun 2, 2026

Copy link
Copy Markdown
Member

Per #85: pin third-party GitHub Actions to immutable commit SHAs (with a trailing version-tag comment for human readability) to mitigate supply-chain attacks via tag re-pointing. Add a Dependabot config that maintains the github-actions ecosystem with a 7-day cooldown so we don't adopt brand-new releases until any yanks/revocations have surfaced.

Each workflow has a header comment explaining the SHA-pinning convention and linking to the GitHub security-hardening docs and the mheap/pin-github-action tool.

Versions chosen are the latest stable that are also more than 7 days old (verified against each repo's official Releases page on 2 Jun 2026):

  • actions/checkout: v4 -> v6.0.2 (de0fac2, released 2026-01-09)
    • v6.0.3 was released today and skipped per the cooldown policy.
  • actions/setup-python: v5 -> v6.2.0 (a309ff8, released 2026-01-22)
  • actions/cache: v4 -> v5.0.5 (27d5ce7, released 2026-04-13)

Closes #85

Based on live so can be merged ahead of #80 and subsequent PRs without causing too much mayhem.

@pacharanero
Pin GitHub Actions to commit SHAs; add Dependabot config
bc116c8 
Per #85: pin third-party GitHub Actions to immutable commit SHAs (with a
trailing version-tag comment for human readability) to mitigate
supply-chain attacks via tag re-pointing. Add a Dependabot config that
maintains the github-actions ecosystem with a 7-day cooldown so we don't
adopt brand-new releases until any yanks/revocations have surfaced.

Each workflow has a header comment explaining the SHA-pinning convention
and linking to the GitHub security-hardening docs and the
mheap/pin-github-action tool.

Versions chosen are the latest stable that are also more than 7 days old
(verified against each repo's official Releases page on 2 Jun 2026):
- actions/checkout: v4 -> v6.0.2 (de0fac2, released 2026-01-09)
  - v6.0.3 was released today and skipped per the cooldown policy.
- actions/setup-python: v5 -> v6.2.0 (a309ff8, released 2026-01-22)
- actions/cache: v4 -> v5.0.5 (27d5ce7, released 2026-04-13)

Closes #85
@pacharanero pacharanero requested a review from mbarton June 2, 2026 19:22
@pacharanero pacharanero mentioned this pull request Jun 2, 2026
Open
@mbarton mbarton merged commit dc3e502 into live Jun 3, 2026
5 checks passed
This was referenced Jun 3, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
@pacharanero pacharanero deleted the 85-update-and-pin-github-actions branch June 3, 2026 12:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mbarton mbarton mbarton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update GitHub Actions, pin SHA hashes, add Actions Dependabot with cooldown

2 participants

@pacharanero @mbarton