Skip to content

Pin GitHub Actions to commit SHAs #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mindmonk wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

Pin GitHub Actions to commit SHAs #99

mindmonk wants to merge 2 commits into from
+19 −19

Conversation

@mindmonk
Copy link

@mindmonk mindmonk commented Feb 11, 2026

Pin all GitHub Actions and reusable workflows to immutable commit SHAs instead of version tags.
This improves supply-chain security.

@coderabbitai
Copy link

coderabbitai bot commented Feb 11, 2026
edited
Loading

Warning

Rate limit exceeded

@mindmonk has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 11 minutes and 52 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

Walkthrough

This pull request pins GitHub Actions dependencies across five workflow configuration files to specific commit SHAs, replacing generic version tags (v4, v2) with exact revisions. Each pinned action includes an inline comment documenting the previous version. Additionally, the build.yml workflow adds a draft: true parameter to the release creation step, and build-win.yml includes a TODO comment regarding replacement of the codesign step with Azure signing. No control flow or core logic changes are introduced.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Suggested labels

enhancement

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title 'Pin GitHub Actions to commit SHAs' directly and concisely summarizes the main change across all modified workflow files.
Description check ✅ Passed The description accurately explains that GitHub Actions are being pinned to commit SHAs for supply-chain security, which aligns with all changes shown in the raw summary.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/pin-gh-actions-version

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mindmonk
Copy link
Author

mindmonk commented Feb 11, 2026

@coderabbitai review

@coderabbitai
Copy link

coderabbitai bot commented Feb 11, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai[bot]
coderabbitai bot reviewed Feb 11, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/build.yml (1)

37-41: ⚠️ Potential issue | 🟡 Minor

Inconsistent softprops/action-gh-release version across workflows.

This file and post-publish.yml pin to v2.5.0 (a06a81a...), while build-linux.yml, build-mac.yml, and build-win.yml pin to v2.4.1 (6da8fa9...). All workflows should use the same version for consistency and to avoid subtle behavioral differences.

Also, draft: true on Line 41 is a behavioral change beyond the stated scope of this PR (pinning SHAs). Releases created by this workflow will now be drafts instead of published. Please confirm this is intentional.

🧹 Nitpick comments (1)
.github/workflows/build-win.yml (1)

105-105: Missing version comment for skymatic/workflows action pin.

All other pinned actions include a version comment (e.g., # v4.3.1), but this one only has #TODO: replace by azure signing. Consider adding the version or tag that SHA 450e322... corresponds to, so future maintainers know what was pinned.

Suggested improvement 
-        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f `#TODO`: replace by azure signing
+        uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f # vX.Y.Z TODO: replace by azure signing

@mindmonk mindmonk requested a review from infeo February 11, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@infeo infeo Awaiting requested review from infeo

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mindmonk