Skip to content

Pin GitHub Actions to commit hashes for security #537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
majamassarini merged 1 commit into from
May 21, 2026
Merged

Pin GitHub Actions to commit hashes for security #537

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/check-release-notes.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@ on:
jobs:
check_release_notes:
name: Notes are either written, or there are none
uses: packit/.github/.github/workflows/check-release-notes.yml@main
uses: packit/.github/.github/workflows/check-release-notes.yml@2837c96caf71966609451ad0323552ef4be11a23 # main
Copy link
Copy Markdown

@LecrisUT LecrisUT May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This has quite a trade-off of needing to babysit the these updates based on commit bumps to main. May not be that big of an issue if everyone remembers to bump when the relevant files in packit/packit change.

with:
description: ${{ github.event.pull_request.body }}
2 changes: 1 addition & 1 deletion .github/workflows/do-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release') && github.repository_owner == 'packit'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
Copy link
Copy Markdown

@LecrisUT LecrisUT May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that a per-requisite for these is to change the tag from vX to vX.Y.Z, otherwise tools like dependabot and renovate would not work properly (yes it would just freeze to the commit you gave, but also not give you any updates either). Although, these have not been updated since v3 so far anyway 😅.

Copy link
Copy Markdown
Member Author

@majamassarini majamassarini May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @LecrisUT for the tip, I didn't know that. However as you noticed, we haven't updated them so far. When I was pinning these down, I was wondering if it was a good moment to update them all. But I dismissed it, because there is no easy way to test that I don't break anything. So I think we can keep living with these versions. 😅

- name: Create GitHub release
run: |
VERSION=$(grep -oP '^# \K[0-9.]+([.\-_]?[a-zA-Z0-9.\-_]+)?' CHANGELOG.md | head -n 1)
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/prepare-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,18 +16,18 @@ jobs:
contents: write

steps:
- uses: actions/checkout@v3
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3
with:
fetch-depth: 0
- name: Prepare release content
uses: packit/prepare-release@v3
uses: packit/prepare-release@8e32a3a2fc5b1c33b5dca1620c073d5a7dffd5a5 # v3
with:
version: ${{ inputs.version }}
specfiles: fedora/python-specfile.spec,epel8/python-specfile.spec,centos-integration-sig/python-specfile.spec
prerelease_suffix_pattern: "([.\\-_]?)(a(lpha)?|b(eta)?|r?c|pre(view)?)([.\\-_]?\\d+)?"
prerelease_suffix_macro: prerelease
- name: Create Pull Request
uses: peter-evans/create-pull-request@v7
uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7
with:
labels: release
commit-message: Release ${{ inputs.version }}
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/pypi-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,11 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
with:
persist-credentials: false

- uses: actions/setup-python@v5
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5

- name: Get history and tags for SCM versioning to work
run: |
Expand All @@ -34,7 +34,7 @@ jobs:
python -m build

- name: Store the distribution packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
with:
name: python-package-distributions
path: dist/
Expand All @@ -52,13 +52,13 @@ jobs:

steps:
- name: Download all the dists
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
with:
name: python-package-distributions
path: dist/

- name: Publish 📦 to PyPI
# https://github.com/pypa/gh-action-pypi-publish
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
with:
verbose: true
Loading