Skip to content

chore: Pin GitHub Actions#445

Open
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions
Open

chore: Pin GitHub Actions#445
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026
edited
Loading

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

@gjtorikian gjtorikian requested a review from a team as a code owner February 26, 2026 19:38
@gjtorikian gjtorikian requested review from blairworkos and removed request for a team February 26, 2026 19:38
@greptile-apps
Copy link

greptile-apps bot commented Feb 26, 2026

Greptile Summary

This PR enhances GitHub Actions security by pinning all third-party actions to immutable commit SHAs instead of mutable tags.

Changes:

  • Pinned 6 action references across 4 workflow files to specific commit SHAs
  • Added version comments (e.g., # v6.0.2) to most pinned actions for easy reference
  • Prevents supply chain attacks where action tags could be moved to malicious code

Security Impact:
This change makes the CI/CD pipeline deterministic and auditable, eliminating the risk of actions being silently updated to execute different code.

Confidence Score: 5/5

  • This PR is completely safe to merge - it's a pure security hardening change with no functional modifications
  • Perfect score because this is a security best practice with zero risk. All changes pin actions to specific SHAs, making workflows immutable and auditable. No logic changes, no new dependencies, just improved supply chain security.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/ci.yml Pinned actions/checkout to SHA for v6.0.2
.github/workflows/lint-pr-title.yml Pinned amannn/action-semantic-pull-request to SHA for v6.1.1
.github/workflows/release-please.yml Pinned actions/create-github-app-token and googleapis/release-please-action to SHAs for v2.2.1 and v4.4.0 respectively
.github/workflows/release.yml Pinned three actions to SHAs: rubygems/configure-rubygems-credentials, actions/checkout (v6.0.2), and ruby/setup-ruby (v1.288.0)

Last reviewed commit: d0cd1e4

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@gjtorikian gjtorikian force-pushed the chore/pin-github-actions branch from d0cd1e4 to e86df6f Compare February 26, 2026 19:54
@gjtorikian gjtorikian changed the title Pin GitHub Actions chore: Pin GitHub Actions Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@blairworkos blairworkos Awaiting requested review from blairworkos blairworkos is a code owner automatically assigned from workos/ruby

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gjtorikian