Skip to content

Update GitHub Actions to use specific versions #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
GoldMinerN wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update GitHub Actions to use specific versions #66

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,10 +42,10 @@ jobs:
fi

- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@v4.2.2

- name: Set up Python 3.12
uses: actions/setup-python@v5
uses: actions/setup-python@v5.3.0
Comment on lines +45 to +48
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Resolve immutable commit SHAs for the currently selected tags.
set -euo pipefail

resolve_tag_commit() {
  local owner_repo="$1" tag="$2"
  local ref_json type sha
  ref_json="$(curl -fsSL "https://api.github.com/repos/${owner_repo}/git/ref/tags/${tag}")"
  type="$(printf '%s' "$ref_json" | jq -r '.object.type')"
  sha="$(printf '%s' "$ref_json" | jq -r '.object.sha')"

  if [[ "$type" == "tag" ]]; then
    # annotated tag -> dereference to commit
    curl -fsSL "https://api.github.com/repos/${owner_repo}/git/tags/${sha}" | jq -r '.object.sha'
  else
    # lightweight tag -> already commit
    printf '%s\n' "$sha"
  fi
}

echo "actions/checkout@v4.2.2 => $(resolve_tag_commit actions/checkout v4.2.2)"
echo "actions/setup-python@v5.3.0 => $(resolve_tag_commit actions/setup-python v5.3.0)"

Repository: junjiem/dify-plugin-repackaging

Length of output: 215

🏁 Script executed:

cat -n .github/workflows/build.yml | sed -n '40,55p'

Repository: junjiem/dify-plugin-repackaging

Length of output: 672

🌐 Web query:

GitHub Actions pinning versions commit SHA vs tag best practices security

💡 Result:

Best practice: Pin GitHub Actions third-party (and any high-risk) dependencies to full, immutable commit SHAs (not tags), and (optionally) enforce this with GitHub Actions policies. 1) Why commit SHA pinning is preferred over tags - GitHub explicitly states: “Pin actions to a full-length commit SHA” is currently “the only way to use an action as an immutable release,” and that it helps mitigate the risk of a bad actor adding a backdoor to the action’s repository (they’d need to generate a SHA-1 collision for a valid Git object payload). [1] - GitHub also notes that tag pinning is less secure because a tag can be moved or deleted if a bad actor gains access to the action’s repository; commit SHAs are immutable references to a specific repository state. [1] 2) What GitHub recommends you do in practice - Use full-length commit SHAs in the workflow uses: value (for example: owner/repo@<40+ hex chars>). [1] - When selecting the SHA, verify it is from the action’s repository and not a repository fork. [1] - If you still use a tag, GitHub recommends only doing so when you trust the creator, while noting the risk that tags can be moved or deleted. [1] 3) Security governance: enforce SHA pinning at the org/repo level - GitHub’s changelog says administrators can enforce SHA pinning through the allowed actions policy; the policy checks for a full commit SHA and workflows that attempt to use an action that isn’t pinned will fail. [2] 4) Commit SHA vs tag: quick rule - For supply-chain resistance/immutability: prefer full commit SHA pinning. [1] - For convenience: tags are widely used, but they’re mutable and therefore less secure. [1] 5) How teams maintain/update pinned SHAs - A common maintainability pattern is pinning to a SHA while retaining the original version/tag as an inline comment (e.g., actions/checkout@<sha> # v4.1.1) so updates are understandable. [3] If you share a few of your current uses: lines, I can show how to convert each from a tag to the corresponding full commit SHA pin and keep the version comments.

Citations:

Pin third-party actions by commit SHA, not tag, for immutable builds.

v4.2.2/v5.3.0 is better than major tags, but GitHub's security documentation confirms that tags can be moved or deleted if a bad actor gains access. For supply-chain integrity and reproducibility, pin uses: to full commit SHAs instead.

Suggested change 
       - name: Checkout repository
-        uses: actions/checkout@v4.2.2  
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2

       - name: Set up Python 3.12
-        uses: actions/setup-python@v5.3.0
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yml around lines 45 - 48, Replace the current action
pins using tags (actions/checkout@v4.2.2 and actions/setup-python@v5.3.0) with
immutable commit SHA pins: look up the exact commit SHA for each action in their
upstream GitHub repos (actions/checkout and actions/setup-python) that
correspond to the desired release, and update the workflow uses: entries to
actions/checkout@<commit-sha> and actions/setup-python@<commit-sha> so the
workflow is pinned to the specific commit rather than a mutable tag.

with:
python-version: "3.12"

Expand Down