Skip to content

Pin GitHub Actions to commit SHAs#87

Merged
infeo merged 2 commits intocryptomator:developfrom
mindmonk:feature/pin-ci-actions
Mar 12, 2026
Merged

Pin GitHub Actions to commit SHAs#87
infeo merged 2 commits intocryptomator:developfrom
mindmonk:feature/pin-ci-actions

Conversation

@mindmonk
Copy link
Contributor

@mindmonk mindmonk commented Mar 12, 2026

Pin all GitHub Actions and reusable workflows to immutable commit SHAs instead of version tags.

@coderabbitai
Copy link

coderabbitai bot commented Mar 12, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bec6064d-f05b-4013-8f08-26dec95997aa

📥 Commits

Reviewing files that changed from the base of the PR and between a92cced and be707fd.

📒 Files selected for processing (2)
  • .github/workflows/build.yml
  • .github/workflows/codeql-analysis.yml
🚧 Files skipped from review as they are similar to previous changes (2)
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/build.yml

Walkthrough

Two GitHub Actions workflow files are updated to pin action references to exact commit SHAs instead of version tags. In .github/workflows/build.yml, actions/checkout, actions/setup-java, and actions/upload-artifact are pinned to specific commits. In .github/workflows/codeql-analysis.yml, actions/checkout, actions/setup-java, and the CodeQL actions (github/codeql-action/init and github/codeql-action/analyze) are pinned to specific commits. Workflow logic, inputs, and sequencing are unchanged; only the resolved action revisions differ.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Pin GitHub Actions to commit SHAs' directly and clearly describes the main change in the pull request, which is pinning GitHub Actions workflow steps to exact commit SHAs instead of version tags.
Description check ✅ Passed The description 'Pin all GitHub Actions and reusable workflows to immutable commit SHAs instead of version tags' is directly related to the changeset and accurately describes the modifications made in both workflow files.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 12, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yml:
- Around line 18-19: The workflow still uses tag-based action references for
actions/attest-build-provenance@v3 and softprops/action-gh-release@v2; replace
those tag references with their corresponding commit SHAs (pin to exact commits)
to fully harden the supply chain—locate the occurrences of
actions/attest-build-provenance and softprops/action-gh-release in the workflow
YAML and update each uses: line to the full commit SHA for the current v3/v2
releases (verify the SHA on GitHub for the exact tag before updating) so the
workflow is consistently pinned like the existing actions/checkout and
actions/setup-java entries.

In @.github/workflows/codeql-analysis.yml:
- Around line 19-22: Replace the workflow steps that reference
github/codeql-action by tag (github/codeql-action/init@v4 and
github/codeql-action/analyze@v4) with their corresponding immutable commit SHAs
so the CodeQL workflow is fully pinned; locate the init and analyze steps in the
.github/workflows/codeql-analysis.yml file and update the uses entries to the
exact commit SHA for each action (matching the repo's vetted version) while
keeping any existing with: inputs unchanged.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 87ff6597-92bb-4d63-ba22-7fca90014cba

📥 Commits

Reviewing files that changed from the base of the PR and between 5d8010b and a92cced.

📒 Files selected for processing (2)
  • .github/workflows/build.yml
  • .github/workflows/codeql-analysis.yml

@infeo infeo assigned infeo and unassigned infeo Mar 12, 2026
@infeo infeo merged commit 11b42a1 into cryptomator:develop Mar 12, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@infeo infeo infeo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mindmonk @infeo