Skip to content

Add full commit sha instead of tags in workflow#2908

Open
Aniketsy wants to merge 4 commits into
microsoft:mainfrom
Aniketsy:fix-sha
Open

Add full commit sha instead of tags in workflow#2908
Aniketsy wants to merge 4 commits into
microsoft:mainfrom
Aniketsy:fix-sha

Conversation

@Aniketsy
Copy link
Copy Markdown
Contributor

@Aniketsy Aniketsy commented May 4, 2026

fixes #2903

Aniketsy
Aniketsy commented May 4, 2026
View reviewed changes
Comment thread .github/workflows/main.yaml Outdated
Aniketsy
Aniketsy commented May 4, 2026
View reviewed changes
Comment thread .github/workflows/main.yaml Outdated
@codecov
Copy link
Copy Markdown

codecov Bot commented May 4, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.49%. Comparing base (1f43db3) to head (df7077b).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2908   +/-   ##
=======================================
  Coverage   72.49%   72.49%           
=======================================
  Files         258      258           
  Lines       31471    31471           
  Branches     2973     2973           
=======================================
  Hits        22814    22814           
  Misses       7647     7647           
  Partials     1010     1010

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@titaiwangms titaiwangms requested review from Copilot and justinchuby May 4, 2026 19:41
Copilot AI reviewed May 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub Actions used by the repo’s CI/lint/pages/code-scanning workflows to immutable commit SHAs (instead of mutable version tags) to reduce supply-chain risk (fixes #2903).

Changes:

  • Replaces uses: ...@v* references with full commit SHAs across core workflows.
  • Pins Codecov and Reviewdog actions used in CI and linting.
  • Pins CodeQL init/autobuild/analyze steps used for code scanning.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/pages.yaml Pins Pages-related actions to SHAs (checkout/configure-pages/setup-python/upload-pages-artifact/deploy-pages).
.github/workflows/main.yaml Pins CI actions to SHAs (checkout/setup-python/codecov/test-results/upload-artifact).
.github/workflows/lint.yaml Pins lint workflow actions to SHAs (checkout/reviewdog actions/setup-python).
.github/workflows/codeql-analysis.yml Pins CodeQL scanning actions (checkout + codeql init/autobuild/analyze) to SHAs.

Comment thread .github/workflows/pages.yaml
with:
python-version: "3.10"
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
Comment thread .github/workflows/lint.yaml
Comment on lines +47 to 50
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
- name: Setup Python
uses: actions/setup-python@v6
uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6
with:
Aniketsy
Aniketsy commented May 6, 2026
View reviewed changes
Comment thread .github/workflows/lint.yaml Outdated
@justinchuby
Copy link
Copy Markdown
Collaborator

justinchuby commented May 6, 2026

I rethought about this: I find having to bump the sha constantly a maintenance burden, even with dependabot. I am inline to leave the trusted workflows not pinned with sha. Thanks and sorry for the churn.

@Aniketsy
Copy link
Copy Markdown
Contributor Author

Aniketsy commented May 11, 2026

thanks 😊 i understand, please feel free to close this PR or let me know if i should do .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@justinchuby justinchuby Awaiting requested review from justinchuby

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

ONNX Script Review Board
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI : Pin github actions to full commit SHA

3 participants

@Aniketsy @justinchuby