Skip to content
This repository was archived by the owner on May 22, 2026. It is now read-only.

chore: pin GitHub Actions to SHA (incident 2026-04-28)#22

Closed
ookura-mf wants to merge 1 commit into
mainfrom
chore/sha-pin-actions-2026-04-28
Closed

chore: pin GitHub Actions to SHA (incident 2026-04-28)#22
ookura-mf wants to merge 1 commit into
mainfrom
chore/sha-pin-actions-2026-04-28

Conversation

@ookura-mf

@ookura-mf ookura-mf commented May 7, 2026

Copy link
Copy Markdown

Summary

Replaces tag/branch references in workflow files with commit SHAs reachable at or before 2026-04-28T00:00:00Z.

Why

Mitigates the supply-chain risk of mutable tag/branch references in third-party GitHub Actions following the 2026-04-28 incident. Tag references can be force-updated by upstream maintainers; SHAs are immutable.

How

  • Original version is preserved as a trailing comment (e.g. uses: foo/bar@<sha> # v1) so Renovate / Dependabot can still detect upstream upgrades.
  • SHAs were pre-resolved and verified by the upstream pipeline (resolve_sha.py + verify_sha.py).

Test plan

  • CI green
  • Workflow files diff-reviewed for unintended changes

@ookura-mf
chore: pin GitHub Actions to SHA
faac97b 
Pin third-party and internal action references to commit SHAs reachable
at or before 2026-04-28T00:00:00Z, replacing tag/branch references.

Generated by actions-sha-pinner from actions_pinned.csv.
@ookura-mf ookura-mf requested a review from a team as a code owner May 7, 2026 12:47
@ookura-mf ookura-mf closed this May 8, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

GitHubLeakIncident-2026

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ookura-mf