Skip to content

chore: Pin GitHub Actions#575

Open
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions
Open

chore: Pin GitHub Actions#575
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026
edited
Loading

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

@gjtorikian gjtorikian requested a review from a team as a code owner February 26, 2026 19:38
@gjtorikian gjtorikian requested a review from csrbarber February 26, 2026 19:38
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 26, 2026

Greptile Summary

This PR enhances supply chain security by pinning all third-party GitHub Actions to immutable commit SHAs, preventing potential compromise from tag manipulation. It also drops Python 3.8 from the dev environment and CI test matrix (while maintaining runtime support for end users).

Major Changes:

  • Pinned 7 different GitHub Actions across 5 workflow files to specific SHAs with version comments
  • Removed Python 3.8 from dev dependency resolution (pyproject.toml, noxfile.py, CI test matrix)
  • Updated uv.lock to reflect Python 3.9+ resolution (480 lines changed)
  • Added Renovate rule to prevent pyjwt updates in 2.9.x range
  • Preserved Python 3.8 in smoke-test matrix for backward compatibility verification

Confidence Score: 5/5

  • Safe to merge - security improvement with no functional risks
  • All changes are low-risk security and maintenance improvements: SHA pinning is a best practice that makes workflows deterministic, and Python 3.8 removal is well-documented with proper backward compatibility preservation for end users
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/ci.yml Pinned all third-party actions to immutable SHAs; removed Python 3.8 from main test matrix (kept in smoke-test)
.github/workflows/release.yml Pinned all release workflow actions including create-github-app-token, checkout, action-gh-release, and setup-uv to SHAs
.github/workflows/version-bump.yml Pinned create-github-app-token, checkout, setup-uv, and create-pull-request actions to SHAs
renovate.json Added rule to prevent pyjwt updates in 2.9.x range (related to Python 3.8 removal)
pyproject.toml Added [tool.uv] environments configuration to resolve lockfile only for Python 3.9+

Last reviewed commit: c78c68c

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

9 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@gjtorikian gjtorikian force-pushed the chore/pin-github-actions branch from c78c68c to 629ab60 Compare February 26, 2026 19:53
@gjtorikian gjtorikian changed the title Pin GitHub Actions chore: Pin GitHub Actions Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mthadley mthadley mthadley approved these changes

@csrbarber csrbarber Awaiting requested review from csrbarber csrbarber is a code owner automatically assigned from workos/python

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian @mthadley