Skip to content

chore: Pin GitHub Actions#214

Merged
gjtorikian merged 3 commits intomainfrom
chore/pin-github-actions
Mar 2, 2026
Merged

chore: Pin GitHub Actions#214
gjtorikian merged 3 commits intomainfrom
chore/pin-github-actions

Conversation

@gjtorikian
Copy link
Copy Markdown
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026
edited
Loading

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

@gjtorikian gjtorikian requested a review from a team as a code owner February 26, 2026 19:38
@gjtorikian gjtorikian requested a review from mthadley February 26, 2026 19:38
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Feb 26, 2026

Greptile Summary

Pins all GitHub Actions (actions/checkout, actions/setup-dotnet, actions/setup-node) to immutable commit SHAs with version comments for supply chain security. This ensures workflows execute deterministic, auditable code that cannot be retroactively modified through tag manipulation.

  • Replaced mutable version tags (e.g., @v4) with commit SHAs across all workflow files
  • Added inline comments (e.g., # v4.3.1) to indicate which version each SHA represents
  • Improves supply chain security by preventing potential action-level compromise or unexpected breaking changes

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk
  • The changes are purely security improvements that pin third-party GitHub Actions to specific commit SHAs without modifying any functional logic. All changes follow established best practices for supply chain security.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/ci.yml Pinned actions/checkout and actions/setup-dotnet to commit SHAs with version comments
.github/workflows/coana-analysis.yml Pinned actions/checkout to commit SHA, but docker://coana/coana:latest remains unpinned
.github/workflows/coana-guardrail.yml Pinned actions/checkout (2 instances) and actions/setup-node to commit SHAs with version comments
.github/workflows/release.yml Pinned actions/checkout and actions/setup-dotnet to commit SHAs with version comments

Last reviewed commit: 53a0f50

greptile-apps[bot]
greptile-apps Bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown

@greptile-apps greptile-apps Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Feb 26, 2026

Additional Comments (1)

.github/workflows/coana-analysis.yml
The :latest Docker image tag is mutable, similar to unpinned action tags. Consider pinning to a specific digest for the same supply chain security benefits, e.g., docker://coana/coana@sha256:...

@gjtorikian gjtorikian changed the title Pin GitHub Actions chore: Pin GitHub Actions Feb 26, 2026
@gjtorikian gjtorikian merged commit f07891d into main Mar 2, 2026
5 checks passed
@gjtorikian gjtorikian deleted the chore/pin-github-actions branch March 2, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@mthadley mthadley mthadley approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gjtorikian @mthadley @marji-workos