← Back to PRs

#22580: CI: pin workflow action refs to immutable SHAs

by Rohan5commit open 2026-02-21 09:57 View on GitHub →
scripts size: S
Cluster: GitHub Actions CI Improvements
## Summary - pin external workflow actions in `.github/workflows/*.yml` from mutable major tags (e.g. `@v4`) to immutable commit SHAs - include version comments next to each pinned SHA for readability - add `scripts/check-workflow-action-pinning.py` and run it from `workflow-sanity.yml` so new workflows cannot reintroduce mutable action refs ## Why This closes the workflow supply-chain gap tracked in #9473 by eliminating mutable action tag execution in CI/CD. ## Validation - `rg -n "uses:\s*[^@\\s]+/[^@\\s]+@v[0-9]" .github/workflows/*.yml || true` - `python3 scripts/check-workflow-action-pinning.py` - `python3 scripts/check-composite-action-input-interpolation.py` <!-- greptile_comment --> <h3>Greptile Summary</h3> Pins all external GitHub Actions references in `.github/workflows/*.yml` files from mutable version tags (e.g. `@v4`) to immutable commit SHAs with version comments for readability. Adds `scripts/check-workflow-action-pinning.py` validator that runs in `workflow-sanity.yml` to prevent future mutable action references in workflow files. This closes a supply-chain security gap by ensuring workflow actions cannot be retroactively modified by upstream maintainers. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with only minor security gaps remaining in composite actions - The implementation correctly pins all workflow actions to immutable SHAs and adds automated validation. However, the scope is limited to `.github/workflows/` and doesn't address mutable action references in `.github/actions/` composite actions, leaving a small supply-chain gap. The validation script is well-implemented with proper regex patterns and clear error messages. All workflow file changes follow the correct pattern of SHA pinning with version comments. - No files require special attention - all changes follow the established pattern correctly <sub>Last reviewed commit: 852cf92</sub> <!-- greptile_other_comments_section --> <sub>(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!</sub> <!-- /greptile_comment -->

Most Similar PRs

#9474: fix: GitHub Actions not pinned to SHA digests in CI/CD workflows
by coygeek · 2026-02-05
84.5%
#22250: ci: pin GitHub Actions to SHA and harden Dockerfiles
by novalis133 · 2026-02-20
82.6%
#3885: Upgrade GitHub Actions to latest versions
by salmanmkc · 2026-01-29
73.5%
#11765: fix(ci): restrict GITHUB_TOKEN permissions in workflows
by coygeek · 2026-02-08
73.4%
#22578: CI: enforce explicit workflow token permissions
by Rohan5commit · 2026-02-21
70.0%
#3884: Upgrade GitHub Actions for Node 24 compatibility
by salmanmkc · 2026-01-29
69.8%
#11313: feat(ci): add staged release pipeline workflows (dormant)
by quotentiroler · 2026-02-07
68.6%
#17452: ci: Grant write perms for Issues for formal-conformance.yml
by thesomewhatyou · 2026-02-15
68.5%
#17426: ci(formal): don't fail on fork PRs when PR comment is blocked
by mitre88 · 2026-02-15
68.0%
#7835: CI: add dependency security audit job
by M00N7682 · 2026-02-03
66.8%