Skip to content

ci(workflows): pin 3rd party actions #41710

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 28, 2025
Merged

ci(workflows): pin 3rd party actions #41710

merged 2 commits into from
Oct 28, 2025
+45 −45

Conversation

@caugner
Copy link
Contributor

@caugner caugner commented Oct 27, 2025

Description

Pins all 3rd party GitHub Actions to specific commit hashes instead of version tags.

Each pinned action includes an inline comment with the resolved version number for reference.

Motivation

Security best practice to pin actions to immutable commit hashes, preventing potential supply chain attacks from compromised action versions or tag hijacking.

Additional details

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Related issues and pull requests

Part of mdn/fred#1005.

@caugner caugner requested review from a team and LeoMcA and removed request for a team October 27, 2025 16:55
@github-actions github-actions bot added system [PR only] Infrastructure and configuration for the project size/m [PR only] 51-500 LoC changed labels Oct 27, 2025
caugner
caugner commented Oct 27, 2025
View reviewed changes
@caugner caugner force-pushed the pin-workflow-actions branch from 7843904 to 709f14b Compare October 27, 2025 17:01
@caugner caugner marked this pull request as ready for review October 27, 2025 17:02
@caugner caugner requested a review from a team as a code owner October 27, 2025 17:02
@github-actions github-actions bot added the merge conflicts 🚧 [PR only] label Oct 27, 2025
@github-actions
Copy link
Contributor

This pull request has merge conflicts that must be resolved before it can be merged.

@github-actions github-actions bot removed the merge conflicts 🚧 [PR only] label Oct 28, 2025
@argl argl merged commit 748951e into main Oct 28, 2025
20 checks passed
@argl argl deleted the pin-workflow-actions branch October 28, 2025 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@argl argl argl approved these changes

@LeoMcA LeoMcA Awaiting requested review from LeoMcA LeoMcA is a code owner automatically assigned from mdn/engineering

Assignees

No one assigned

Labels

size/m [PR only] 51-500 LoC changed system [PR only] Infrastructure and configuration for the project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@caugner @argl