Skip to content

chore: pin GitHub Actions to full commit SHAs#129

Merged
0x46616c6b merged 1 commit intomainfrom
chore/pin-actions-to-sha
Apr 7, 2026
Merged

chore: pin GitHub Actions to full commit SHAs#129
0x46616c6b merged 1 commit intomainfrom
chore/pin-actions-to-sha

Conversation

@0x46616c6b
Copy link
Copy Markdown
Contributor

@0x46616c6b 0x46616c6b commented Apr 7, 2026

Type of Change

  • Bugfix
  • Enhancement / new feature
  • Refactoring
  • Documentation

Description

Pin all GitHub Actions dependencies to their full commit SHAs instead of mutable version tags to improve supply chain security. Each SHA is annotated with a version comment (e.g. # v4.0.0) for readability.

Changes across 3 files (7 actions pinned):

Action Version
docker/setup-buildx-action v4.0.0
docker/login-action v4.1.0
docker/build-push-action v7.0.0
actions/checkout v6.0.2
upwindsecurity/create-image-build-event-action v3
cla-assistant/github-action v2.6.1
Staffbase/gha-workflows v12.0.1

All versions are already at their latest stable release.

Checklist

  • Write tests
  • Make sure all tests pass
  • Update documentation
  • Reference relevant issue(s) and close them after merging

The changes and the PR were generated by OpenCode.

@0x46616c6b
chore: pin GitHub Actions to full commit SHAs for security hardening
87cad8d 
Pin all GitHub Actions dependencies to their full commit SHAs instead of
mutable version tags to prevent supply chain attacks. Each SHA is
annotated with a version comment for readability.

Co-Authored-By: OpenCode <noreply@opencode.ai>
@0x46616c6b 0x46616c6b marked this pull request as ready for review April 7, 2026 07:58
@0x46616c6b 0x46616c6b requested review from a team as code owners April 7, 2026 07:58
@0x46616c6b 0x46616c6b merged commit 4c47a27 into main Apr 7, 2026
7 checks passed
@0x46616c6b 0x46616c6b deleted the chore/pin-actions-to-sha branch April 7, 2026 10:31
@github-actions github-actions bot locked and limited conversation to collaborators Apr 7, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@ricoberger ricoberger ricoberger approved these changes

@monotek monotek Awaiting requested review from monotek monotek is a code owner automatically assigned from Staffbase/diablo

@axdotl axdotl Awaiting requested review from axdotl axdotl is a code owner automatically assigned from Staffbase/workflow-enthusiasts

@flaxel flaxel Awaiting requested review from flaxel flaxel is a code owner automatically assigned from Staffbase/workflow-enthusiasts

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0x46616c6b @ricoberger