Skip to content

fix: pin GitHub Actions to commit SHAs (#9108)#9393

Open
AbdelHamdyGhanem wants to merge 3 commits into
makeplane:previewfrom
AbdelHamdyGhanem:fix/9108-pin-github-actions
Open

fix: pin GitHub Actions to commit SHAs (#9108)#9393
AbdelHamdyGhanem wants to merge 3 commits into
makeplane:previewfrom
AbdelHamdyGhanem:fix/9108-pin-github-actions

Conversation

@AbdelHamdyGhanem

@AbdelHamdyGhanem AbdelHamdyGhanem commented Jul 10, 2026

Copy link
Copy Markdown

Description

Pinned GitHub Actions dependencies to immutable commit SHAs instead of mutable version tags.
Updated actions/checkout, actions/setup-python, and tailscale/github-action references in GitHub workflow files to prevent supply-chain security risks caused by mutable action tags.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • Feature (non-breaking change which adds functionality)
  • Improvement (change that would cause existing functionality to not work as expected)
  • Code refactoring
  • Performance improvements
  • Documentation update

Screenshots and Media (if applicable)

Test Scenarios

  • Verified all modified workflow files use commit SHA references instead of mutable tags.
  • Reviewed the Git diff to confirm only GitHub Actions references were changed.
  • Confirmed no remaining actions/checkout@v6, actions/setup-python@v6, or tailscale/github-action@v4 references exist in the updated workflows.

References

Fixes #9108

Summary by CodeRabbit

  • Chores
    • Pinned continuous integration and deployment workflow actions to specific revisions for more consistent, reliable runs.
    • Updated repository checkout and Python setup actions to fixed commit references while keeping build and lint behavior unchanged.
    • Updated the deployment networking-related action to a pinned revision.

@CLAassistant

CLAassistant commented Jul 10, 2026

Copy link
Copy Markdown

CLA assistant check
All committers have signed the CLA.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe54e1a5-140f-409a-8897-5428b8c083d1

📥 Commits

Reviewing files that changed from the base of the PR and between 984bd67 and bcf2c29.

📒 Files selected for processing (1)
  • .github/workflows/pull-request-build-lint-api.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/pull-request-build-lint-api.yml

📝 Walkthrough

Walkthrough

The deployment and pull-request build workflows replace floating GitHub Actions version tags with specific commit SHA references for checkout, Tailscale, and Python setup actions.

Changes

GitHub Actions pinning

Layer / File(s) Summary
Pin workflow action dependencies
.github/workflows/feature-deployment.yml, .github/workflows/pull-request-build-lint-api.yml
Deployment checkout and Tailscale actions, plus pull-request checkout and Python setup actions, now reference specific commit SHAs instead of major version tags.

Estimated code review effort: 2 (Simple) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly states the main change: pinning GitHub Actions to commit SHAs.
Description check ✅ Passed The description includes the required sections and explains the change, testing, and reference issue.
Linked Issues check ✅ Passed The changes satisfy #9108 by replacing the listed mutable GitHub Action refs with immutable SHAs.
Out of Scope Changes check ✅ Passed The PR appears scoped to workflow dependency pinning, with no unrelated code changes introduced.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/feature-deployment.yml:
- Line 125: Remove the leading “v” from the pinned `tailscale/github-action`
reference in the workflow, changing it to the exact immutable commit SHA
`306e68a486fd2350f2bfc3b19fcd143891a4a2d8`.

In @.github/workflows/pull-request-build-lint-api.yml:
- Around line 30-32: Update the actions/setup-python reference in the workflow
to the commit SHA corresponding to the intended v6 release, replacing the
current v6.2.0 SHA while leaving the checkout action unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 10ccab84-b9a9-4d8c-b32e-a2edd611bcd3

📥 Commits

Reviewing files that changed from the base of the PR and between dc9d80b and 4179b15.

📒 Files selected for processing (2)
  • .github/workflows/feature-deployment.yml
  • .github/workflows/pull-request-build-lint-api.yml

Comment thread .github/workflows/feature-deployment.yml Outdated
Comment thread .github/workflows/pull-request-build-lint-api.yml Outdated
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Action actions/checkout pinned to mutable ref @v6: `uses

2 participants