Skip to content

chore: pin GitHub Actions to commit SHA#6

Merged
vallieres merged 2 commits into
mainfrom
sec-cli/pin-actions
Jun 4, 2026
Merged

chore: pin GitHub Actions to commit SHA#6
vallieres merged 2 commits into
mainfrom
sec-cli/pin-actions

Conversation

@quentin-laplanche-docker

@quentin-laplanche-docker quentin-laplanche-docker commented Apr 20, 2026

Copy link
Copy Markdown

What

This Pull Request pins all GitHub Actions references in workflow files from mutable tags (e.g. v4, latest) to their corresponding full-length commit SHAs, with the original tag preserved as an inline comment for readability.

Before:

uses: actions/checkout@v4

After:

uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

Important

No functional behavior changes — workflows will run the exact same action code as before.

Why

Mutable tags (like v4 or latest) can be force-pushed to point to a different commit at any time. Pinning to a full SHA ensures:

  • Supply chain integrity — the exact code that runs in CI is immutable and auditable
  • Protection against tag hijacking — a compromised upstream action can't silently inject malicious code via a tag update
  • Reproducible builds — workflows always use the same action code regardless of upstream changes

Note

Where mutable references were used (e.g. v4, latest), the SHA corresponds to the commit the reference pointed to on April 16th, 2026 at 11:30 AM UTC.

How this was done

Changes were generated automatically by the Docker security team using internal tooling that resolves each action tag to its corresponding commit SHA via the GitHub API and rewrites the workflow files.

Every third-party action used across the org has been individually security-reviewed before pinning.

How to review

  • Each uses: line now references a full 40-character SHA
  • Pinned SHAs match the versions previously used
  • Inline # vX comments match the original tags that were pinned

Please feel free to edit this pull request !

Warning

If anything looks incorrect or unexpected, or if you have questions, reach out to #help-security on Slack before merging.

Note

If you need to update a pinned action in the future, update both the SHA and the inline comment.

@quentin-laplanche-docker
chore: pin GitHub Actions to commit SHA
2acc496 
-e
Signed-off-by: Quentin Laplanche <quentin.laplanche@docker.com>
@github-actions github-actions Bot added the INFRA label Apr 20, 2026
@vallieres

vallieres commented Jun 4, 2026

Copy link
Copy Markdown

@copilot resolve the merge conflicts in this pull request

Copilot AI commented Jun 4, 2026

Copy link
Copy Markdown

@copilot resolve the merge conflicts in this pull request

Resolved and pushed in commit 818a50a.

Copilot AI requested a review from vallieres June 4, 2026 18:03
@vallieres vallieres merged commit 0c36baa into main Jun 4, 2026
15 checks passed
@vallieres vallieres deleted the sec-cli/pin-actions branch June 4, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@vallieres vallieres vallieres approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

INFRA

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@quentin-laplanche-docker @vallieres