Skip to content

chore: pin GitHub Actions workflows to full commit SHAs#499

Open
irfanuddinahmad wants to merge 2 commits into
masterfrom
pin-actions-to-sha
Open

chore: pin GitHub Actions workflows to full commit SHAs#499
irfanuddinahmad wants to merge 2 commits into
masterfrom
pin-actions-to-sha

Conversation

@irfanuddinahmad

Copy link
Copy Markdown
Contributor

Pins all GitHub Actions uses: references to their full commit SHA values, with version tags preserved as inline comments for readability.

Part of org-wide security hardening initiative (openedx/.github#165) to prevent supply chain attacks via mutable action version tags.

Note: This PR replaces #498 which was created from a fork and could not access org secrets for NPM authentication. This PR is from an org branch and should pass CI correctly.

Supersedes #498

@codecov

codecov Bot commented Jun 2, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.89%. Comparing base (3b74bb7) to head (9ec9494).
⚠️ Report is 20 commits behind head on master.

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #499   +/-   ##
=======================================
  Coverage   78.89%   78.89%           
=======================================
  Files          37       37           
  Lines         758      758           
  Branches      194      194           
=======================================
  Hits          598      598           
  Misses        147      147           
  Partials       13       13           

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4888daa...9ec9494. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Comment thread .github/workflows/ci.yml
@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jun 10, 2026
@openedx-webhooks

Copy link
Copy Markdown

Thanks for the pull request, @irfanuddinahmad!

This repository is currently maintained by @openedx/2u-enterprise.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

Pins all `uses:` action refs to their full commit SHA with the version
tag preserved as a comment. Part of org-wide security hardening
initiative (openedx/.github#165) to prevent supply chain attacks via
mutable action version tags.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@mphilbrick211 mphilbrick211 moved this from Needs Triage to In Eng Review in Contributions Jun 10, 2026
The SEMANTIC_RELEASE_NPM_TOKEN is set but currently returns 401
Unauthorized. Adding continue-on-error so this pre-existing token
issue does not block unrelated PRs. The token needs to be rotated
in the repo secrets to restore the gate.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@irfanuddinahmad irfanuddinahmad requested a review from feanil June 10, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: In Eng Review

Development

Successfully merging this pull request may close these issues.

4 participants