← Back to PRs

#22580: CI: pin workflow action refs to immutable SHAs

by Rohan5commit open 2026-02-21 09:57 View on GitHub →
scripts size: S
## Summary - pin external workflow actions in `.github/workflows/*.yml` from mutable major tags (e.g. `@v4`) to immutable commit SHAs - include version comments next to each pinned SHA for readability - add `scripts/check-workflow-action-pinning.py` and run it from `workflow-sanity.yml` so new workflows cannot reintroduce mutable action refs ## Why This closes the workflow supply-chain gap tracked in #9473 by eliminating mutable action tag execution in CI/CD. ## Validation - `rg -n "uses:\s*[^@\\s]+/[^@\\s]+@v[0-9]" .github/workflows/*.yml || true` - `python3 scripts/check-workflow-action-pinning.py` - `python3 scripts/check-composite-action-input-interpolation.py` <!-- greptile_comment --> <h3>Greptile Summary</h3> Pins all external GitHub Actions references in `.github/workflows/*.yml` files from mutable version tags (e.g. `@v4`) to immutable commit SHAs with version comments for readability. Adds `scripts/check-workflow-action-pinning.py` validator that runs in `workflow-sanity.yml` to prevent future mutable action references in workflow files. This closes a supply-chain security gap by ensuring workflow actions cannot be retroactively modified by upstream maintainers. <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with only minor security gaps remaining in composite actions - The implementation correctly pins all workflow actions to immutable SHAs and adds automated validation. However, the scope is limited to `.github/workflows/` and doesn't address mutable action references in `.github/actions/` composite actions, leaving a small supply-chain gap. The validation script is well-implemented with proper regex patterns and clear error messages. All workflow file changes follow the correct pattern of SHA pinning with version comments. - No files require special attention - all changes follow the established pattern correctly <sub>Last reviewed commit: 852cf92</sub> <!-- greptile_other_comments_section --> <sub>(3/5) Reply to the agent's comments like "Can you suggest a fix for this @greptileai?" or ask follow-up questions!</sub> <!-- /greptile_comment -->

Most Similar PRs