Skip to content

Pin all GitHub Actions references#4901

Merged
hauntsaninja merged 1 commit intopsf:mainfrom
woodruffw-forks:ww/pin-actions
Dec 9, 2025
Merged

Pin all GitHub Actions references#4901
hauntsaninja merged 1 commit intopsf:mainfrom
woodruffw-forks:ww/pin-actions

Conversation

@woodruffw
Copy link
Member

Description

This hash-pins all GitHub Actions.

I used pinact run -v to perform and verify this; a separate tool like gha-update could be used to cross-check them for honesty!

Note: This only pins the actions; I haven't attempted any bumps. Dependabot will keep them updated, including updating the version comments.

For context: this is an important (but not final) step towards making GitHub Actions runs generally more hermetic/reproducible. One of the big issues with GitHub Actions is that it encourages mutable tag usage by default, meaning that an attacker who manages to take over a third-party action can pretty easily pivot onto lots of critical project by force-pushing over an existing version tag. Hash-pinning prevents that.

For more information, I've put some docs on hash pinning in zizmor's audit docs: https://docs.zizmor.sh/audits/#unpinned-uses

Checklist - did you ...

  • Implement any code style changes under the --preview style, following the
    stability policy?
  • Add an entry in CHANGES.md if necessary?
  • Add / update tests if necessary?
  • Add new / update outdated documentation?

Leaving all of the above blank since I believe this is an internal-only CI change 🙂

This hash-pins all GitHub Actions.

I used `pinact run -v` to perform and verify this;
a separate tool like `gha-update` could be used to
cross-check them for honesty!

Note: This only pins the actions; I haven't attempted
any bumps. Dependabot will keep them updated, including
updating the version comments.

Signed-off-by: William Woodruff <william@yossarian.net>
@hauntsaninja hauntsaninja added the skip news Pull requests that don't need a changelog entry. label Dec 9, 2025
@github-actions
Copy link

github-actions bot commented Dec 9, 2025

diff-shades reports zero changes comparing this PR (55f06d6) to main (782e560).


What is this? | Workflow run | diff-shades documentation

@woodruffw
Copy link
Member Author

xref #4611 for some backing motivation here -- I'll do some more follow-up PRs for other findings from zizmor 🙂

@hauntsaninja hauntsaninja merged commit 23b8127 into psf:main Dec 9, 2025
63 of 64 checks passed
rxjacob pushed a commit to rxjacob/black that referenced this pull request Jan 3, 2026
This hash-pins all GitHub Actions.

I used `pinact run -v` to perform and verify this;
a separate tool like `gha-update` could be used to
cross-check them for honesty!

Note: This only pins the actions; I haven't attempted
any bumps. Dependabot will keep them updated, including
updating the version comments.

Signed-off-by: William Woodruff <william@yossarian.net>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip news Pull requests that don't need a changelog entry.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants