SSDLC mitigation: Pin third-party GitHub Actions by commit SHA

[mother-6000]

Parent tracking issue

• reductstore/security#22

Control

Pin third-party GitHub Actions by commit SHA.

Why

Mitigates supply-chain tampering risk in CI workflows (TM-6, TM-12; priority P1).

Scope

• Review all workflows under .github/workflows/
• Replace tag/version references for third-party actions with full commit SHAs
• Keep first-party actions (actions/*) aligned with policy if required by the parent guidance
• Update pinned actions to the latest stable release line before pinning to SHA
• Run CI and check for compatibility breaks after updates
• If compatibility breaks exist, apply fixes in the same PR or a linked follow-up PR

Deliverables

• PR(s) that pin applicable third-party actions by SHA
• Workflow diff evidence in PR description
• Notes about any compatibility changes/fixes made

Definition of done

• All applicable workflows in this repository use pinned SHAs for third-party actions
• Action versions are updated to the latest stable release line
• Compatibility issues are resolved (or tracked in linked follow-up issues/PRs)
• Links to PR(s) are posted back to parent issue reductstore/security#22

[mother-6000]

Implementation plan drafted — please review:
@reductstore/devops @reductstore/maintainers

Summary

Pin all third-party GitHub Actions used by reduct-cpp workflows to immutable commit SHAs (after updating to the latest stable release line) to reduce CI supply-chain risk and satisfy the SSDLC control in reductstore/security#22.

Scope

In scope

• Audit .github/workflows/*.yml for all uses: action references.
• Update third-party actions from tag/version refs to full commit SHAs.
• Keep actions/* usage aligned with parent policy requirements.
• Run CI after pinning and fix compatibility regressions caused by action updates.
• Document exact old→new refs in the PR description.

Out of scope

• CI refactors unrelated to action pinning.
• Non-workflow automation outside .github/workflows/ unless needed for passing checks.

Proposed changes

1. Inventory every action used in .github/workflows and classify first-party (actions/*) vs third-party.
2. For each third-party action:
   • identify the latest stable release line,
   • resolve that release to a commit SHA,
   • replace tag/version refs with full SHA refs.
3. Apply policy-consistent handling for actions/* references.
4. Run repository CI and address failures introduced by updated action versions.
5. Open PR with:
   • per-action mapping table (old ref -> pinned SHA),
   • compatibility notes/fixes,
   • links to this issue and reductstore/security#22.

Testing strategy

• Execute repository CI workflows on the branch with updated pins.
• Validate workflow syntax/behavior through CI runs.
• Re-run failed jobs after fixes until required checks are green.

Risks & mitigations

• Behavior drift after update: latest release line may change behavior.
  • Mitigation: validate with CI and apply focused fixes in the same PR.
• Missed action references: some workflows may be overlooked.
  • Mitigation: perform exhaustive search across .github/workflows before/after edits.
• Readability loss with SHA refs:
  • Mitigation: include a clear mapping table in the PR description.

Timeline / checkpoints

• Workflow audit + pinning: ~30–45 min
• CI/fix iteration: ~30–60 min
• PR prep and linkage updates: ~15 min

[atimin]

approved

[mother-6000]

Implemented per approved plan and opened PR #126: https://github.com/reductstore/reduct-cpp/pull/126\n\nIncluded latest stable-line SHA pinning for GitHub Actions in and assigned PR to @atimin.

[mother-6000]

Correction: the workflow updates are in .github/workflows/ci.yml.