chore(ci): pin third-party GitHub Actions to commit SHAs#3631
Merged
Conversation
Replaces every mutable tag (`@v4`, `@v2`, `@master`, etc.) on third-party actions with the commit SHA they currently resolve to, with a trailing `# <tag>` comment so Dependabot/Renovate can keep them updated. Closes Tolmo findings 04e0e887, 3580d63d, 3ced71b1, 59691bf4, ce908e26, f7d7ab2e, 8bd4a7ba, 6ab1fc7e — all rooted in the unpinned `oven-sh/setup-bun@v2` (and other tags) reachable from `deploy-production.yml` and `build-desktop.yml`. 114 references pinned across 13 workflow files. No logic changes.
Contributor
📝 WalkthroughWalkthroughGitHub Actions workflows across the repository were updated to pin external action references to specific commit SHAs instead of floating major version tags. Changes affect checkout, Bun setup, caching, artifact, and deployment actions across multiple workflow files; no step logic or inputs were modified. Changes
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR pins all 114 third-party GitHub Actions Key changes:
Confidence Score: 5/5This PR is safe to merge immediately — it is a pure security improvement with no logic changes and complete coverage of all 114 third-party action references. All third-party uses: references have been pinned with consistent SHAs across every file, trailing tag comments are present for Dependabot/Renovate compatibility, and a post-change grep confirms zero remaining unpinned references. There are no logic changes, so regression risk is negligible. No files require special attention. All 13 workflow files are mechanically correct and internally consistent.
|
| Filename | Overview |
|---|---|
| .github/workflows/deploy-production.yml | Pins 7 action references (checkout, setup-bun, cache, setup-node, flyctl-actions) to SHAs; highest-priority file given VERCEL_TOKEN and FLY_API_TOKEN exposure risk noted in Tolmo findings |
| .github/workflows/build-desktop.yml | Pins 5 action references (checkout, setup-bun, cache, upload-artifact x3) to SHAs; critical given Apple signing secrets exposure risk |
| .github/workflows/deploy-preview.yml | Pins 13 action references across 6 jobs covering checkout, setup-bun, cache, create-branch-action, upload-artifact, download-artifact, fly-pr-review-apps, and actions-comment-pull-request |
| .github/workflows/cleanup-preview.yml | Pins delete-branch-action, flyctl-actions/setup-flyctl (with informative # master @ 2026-04-21 comment), and actions-comment-pull-request |
| .github/workflows/ci.yml | Pins checkout, setup-bun, and cache across 5 jobs; no issues |
| .github/workflows/release-desktop-canary.yml | Pins checkout, download-artifact, and softprops/action-gh-release; only workflow file using action-gh-release (release-desktop.yml uses gh CLI instead) |
| .github/workflows/build-cli.yml | Pins checkout@v5, setup-bun, setup-node, upload-artifact@v5, and download-artifact@v5 — uses v5 action variants consistently |
| .github/workflows/bump-homebrew.yml | Pins single checkout@v5 reference; all other steps use shell scripts with no external actions |
| .github/workflows/release-desktop.yml | Pins checkout@v4 and download-artifact@v4; uses gh release create CLI (not softprops action) so no additional action pinning needed |
| .github/workflows/generate-changelog.yml | Pins checkout, setup-bun, and cache; no issues |
| .github/workflows/setup-automations-schedule.yml | Pins checkout, setup-bun, and cache; no issues |
| .github/workflows/triage-issue.yml | Pins checkout, setup-bun, and cache; no issues |
| .github/workflows/update-docs.yml | Pins checkout, setup-bun, and cache; no issues |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[Third-party Action referenced\nby mutable tag e.g. @v2] -->|Before this PR| B{Maintainer account\ncompromised?}
B -->|Yes| C[Attacker pushes malicious\ncode to tag]
C --> D[CI job runs attacker code\nin trusted context]
D --> E[Secrets exfiltrated\nVERCEL_TOKEN, FLY_API_TOKEN,\nANTHROPIC_API_KEY, etc.]
B -->|No| F[Normal execution]
A2[Third-party Action referenced\nby immutable SHA e.g. @ed8efb3...] -->|After this PR| G{Maintainer account\ncompromised?}
G -->|Yes| H[Attacker pushes malicious\ncode to tag]
H --> I[SHA still resolves to\noriginal safe commit]
I --> J[Normal execution\nattack blocked]
G -->|No| J
Reviews (1): Last reviewed commit: "chore(ci): pin third-party GitHub Action..." | Re-trigger Greptile
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
🧹 Preview Cleanup CompleteThe following preview resources have been cleaned up:
Thank you for your contribution! 🎉 |
Replaces major-tracking comments (`# v4`, `# v2`, `# master`) with the precise release tag the SHA points to (`# v4.3.1`, `# v2.2.0`, `# 1.6`). Same SHAs, more useful comments — Dependabot/Renovate can now show "v4.3.1 → v4.4.0" in the bump PR title instead of a no-op `v4 → v4`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@v4,@v2,@master,@1.3.0, …) on third-party actions with the commit SHA it currently resolves to, leaving a trailing# <tag>comment so Dependabot/Renovate can still find and bump them.uses:references pinned across 13 workflow files. Zero logic changes — line counts net to ±0 (114 ins / 114 del)../.github/...references are intentionally left as-is.Why
Closes Tolmo findings:
04e0e887critical — APPLE signing secrets viabuild-desktop.yml3580d63dcritical — VERCEL_TOKEN viadeploy-production.yml3ced71b1high — FLY_API_TOKEN59691bf4high — BETTER_AUTH_SECRETce908e26high — ANTHROPIC_API_KEYf7d7ab2ehigh — GH_WEBHOOK_SECRET8bd4a7bamedium — QSTASH_TOKEN + signing keys6ab1fc7emedium — SLACK_CLIENT_SECRET + SLACK_SIGNING_SECRETAll eight findings share the same root cause: a maintainer-account compromise of an unpinned action (notably
oven-sh/setup-bun@v2, alsosuperfly/flyctl-actions/setup-flyctl@master) would execute attacker code in our deploy/build jobs and exfiltrate every secret listed above. Pinning to a SHA blocks that path.Resolved SHAs
actions/checkoutv4/v534e1148…/93cb6ef…oven-sh/setup-bunv20c5077e…actions/cachev40057852…actions/setup-nodev5a0853c2…actions/upload-artifactv4/v5ea165f8…/330a01c…actions/download-artifactv4/v5d3f86a1…/634f93c…softprops/action-gh-releasev23bb1273…neondatabase/delete-branch-actionv34468d82…neondatabase/create-branch-actionv6fb620d4…superfly/flyctl-actions/setup-flyctlmastered8efb3…superfly/fly-pr-review-apps1.3.0f7152c1…thollander/actions-comment-pull-requestv324bffb9…Follow-up (not in this PR)
The same Tolmo findings call out the secondary issue: every workflow runs with the default
GITHUB_TOKENscope (contents: write+ others). Adding a top-levelpermissions: { contents: read }block per workflow with per-job overrides where needed (release jobs, PR comment jobs, etc.) is a separate change.Test plan
deploy-previewruns successfully on this PR — confirmsoven-sh/setup-bun,actions/cache,actions/upload-artifact,actions/download-artifact,neondatabase/create-branch-action,superfly/fly-pr-review-apps,thollander/actions-comment-pull-requestall still resolve at the pinned SHAsdeploy-productiononmainsucceed end-to-end (confirmssuperfly/flyctl-actions/setup-flyctl@<sha>still works)release-desktoprun still creates a release (confirmssoftprops/action-gh-release@<sha>)Summary by cubic
Pin all third‑party GitHub Actions to commit SHAs to harden CI/CD. No logic changes; 114 references updated across 13 workflows. Local
./.github/...actions are unchanged. Closes eight Tolmo findings related to unpinned actions and secret exfiltration risk.# v4.3.1,# v2.2.0,# 1.6) so Dependabot/Renovate can show real version bumps.actions/checkout,actions/cache,actions/upload-artifact,actions/download-artifact,actions/setup-node,oven-sh/setup-bun,neondatabase/create-branch-action,neondatabase/delete-branch-action,superfly/flyctl-actions/setup-flyctl,superfly/fly-pr-review-apps,softprops/action-gh-release,thollander/actions-comment-pull-request.Written for commit f5af8f0. Summary will update on new commits.
Summary by CodeRabbit