Skip to content

chore: pin GitHub Actions to commit SHAs#663

Merged
dasanra merged 1 commit into
mainfrom
chore/pin-gh-actions-sha
May 11, 2026
Merged

chore: pin GitHub Actions to commit SHAs#663
dasanra merged 1 commit into
mainfrom
chore/pin-gh-actions-sha

Conversation

@compojoom
Copy link
Copy Markdown
Contributor

@compojoom compojoom commented May 11, 2026

What it solves

GitHub Actions referenced by mutable tags (e.g. @v3) can be silently re-pointed by a tag move, which is a supply-chain risk. GitHub itself recommends pinning third-party (and first-party) actions to a full commit SHA.

How this PR fixes it

Replaced every uses: owner/action@vX reference across all four workflow files with uses: owner/action@<full-sha> # <exact-version>. The trailing comment records the exact released tag the SHA corresponds to (e.g. v3.6.0, v3.9.1) rather than the floating major (v3), so future updates are explicit.

Actions pinned:

  • actions/checkoutf43a0e5ff2bd294095638e18286ca9a3d1956744 (v3.6.0)
  • actions/setup-node3235b876344d2a9aa001b8d1453c930bba69e610 (v3.9.1)
  • contributor-assistant/github-actionb2a7f9fb90217ea0b8a0c95c288221457be4a31f (v2.2.0)
  • gnosis/changesets-action-github-releases0c10ec15081f104b1ce721beadafddb9d2880336 (v1.2.0)

No behavioral change — the SHAs resolve to the same versions previously in use.

How to test it

  1. Open the Actions tab on this PR and confirm the Test and ESLint check workflows run and pass.
  2. Inspect the workflow run logs to confirm each action resolves to the pinned SHA (the version comment matches).
  3. Verify the CLA workflow is triggered on this PR (it uses the pinned contributor-assistant/github-action).

Screenshots

N/A - no UI changes

Checklist

  • I've tested the branch on mobile 📱
  • I've documented how it affects the analytics (if at all) 📊
  • I've written a unit/e2e test for it (if applicable) 🧑‍💻

CLA signature

With the submission of this Pull Request, I confirm that I have read and agree to the terms of the Contributor License Agreement.

@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 11, 2026

⚠️ No Changeset found

Latest commit: b489926

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@compojoom compojoom requested a review from dasanra May 11, 2026 16:07
@dasanra dasanra merged commit 139fa4f into main May 11, 2026
5 of 6 checks passed
@dasanra dasanra deleted the chore/pin-gh-actions-sha branch May 11, 2026 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dasanra dasanra dasanra approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@compojoom @dasanra