Skip to content

Governance: replace gh actions versions with pinned sha and add dependabot config #113

New issue
New issue
Open
Task
Open
Governance: replace gh actions versions with pinned sha and add dependabot config#113
Task
Assignees
leandrodamascena
Labels
enhancementNew feature or request
@leandrodamascena

Description

@leandrodamascena
leandrodamascena
opened on Nov 11, 2025

Security posture

When we reference a GitHub Action by tag (like @v4), that tag can be moved to point to different code. If someone compromises the action's repository, they could inject malicious code that runs in our workflows without us knowing.

Solution

GitHub recommends pinning actions to specific commit SHAs instead of tags. A commit SHA is immutable and it always points to the exact same code.

Instead of this:

- uses: actions/checkout@v4

We can do this:

- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

How to solve

Go through all workflows in .github/workflows/ and replace tag references with commit SHAs. Add version comments so we can tell what each SHA represents. Also, add Dependabot configuration.

Keeping things updated

Once we pin to SHAs, Dependabot can still help us stay current. It will create PRs when new versions are available, showing the SHA for the new version.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions