Pin GitHub Actions to commit SHAs and document security practices #65
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
All GitHub Actions must be pinned to immutable commit SHAs to prevent supply chain attacks and ensure reproducible builds. ## Changes **action.yml** - Pinned `actions/setup-go@v5` → `@d35c59abb061a4a6fb18e82ac0862c26744d6ab5` (v5.5.0) - Fixed malformed error message (missing closing quote) **CONTRIBUTING.md** (new) - Action pinning standard: commit SHAs with version comments - Guidelines for adding/updating actions - Security best practices for GitHub Actions - Documentation on maintaining README examples when Dependabot updates actions **README.md** - Updated example workflow with pinned actions: - `actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5` (v4.3.1) - `actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830` (v4.3.0) - `tailscale/gitops-acl-action@90d4160` (v1.3.1) - Added security note linking to CONTRIBUTING.md - Added note explaining Dependabot doesn't automatically update README examples and directing users to releases page for latest versions **Dependabot** - Verified existing configuration covers composite action (action.yml) and workflows ## Format ```yaml - uses: actions/setup-go@d35c59a # v5.5.0 ``` Commit SHA is immutable; version comment aids human readability. Dependabot will automatically update pins weekly. **Note:** Dependabot only updates action references in `action.yml` and workflow files, not code examples in markdown files. Maintainers should manually update README examples when Dependabot creates update PRs. - Fixes #1 <!-- START COPILOT CODING AGENT SUFFIX --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>Pin all referenced GitHub Actions and configure Dependabot for dependencies</issue_title> > <issue_description>## Summary > All referenced and used GitHub Actions in this repository should be pinned to a specific version (commit SHA or tag) to enhance security and prevent unexpected changes or supply chain attacks. Additionally, if possible, configure Dependabot to help automatically pin and update dependencies, including action versions and package dependencies (if any). > > This repository is an Actions provider (with its main entrypoint in `action.yml`), so ensure any actions (such as `uses:` steps) or tool dependencies referenced in `action.yml`—especially in the `steps:` field—are pinned just as strictly as in workflow YAMLs (e.g., `.github/workflows/`). The configuration for Dependabot should also consider both workflow usage and references within `action.yml`. > > ## GitHub Actions best practices > - Pin third-party actions to a full commit SHA when possible; if using tags, prefer immutable tags and regularly update them. > - Limit permissions in workflows using the `permissions` key to the minimal set required (least privilege). > - Use the official GitHub Actions and verified creators when available; review action code before adopting. > - Avoid passing secrets or the full `GITHUB_TOKEN` to untrusted third-party actions; use inputs and secrets sparingly. > - Prefer reusable workflows and composite actions for shared logic and pin those references as well. > - Avoid running untrusted remote code (e.g., `run: curl | bash`) in workflows or within `action.yml`. > - Use Dependabot for changelog and security updates, and consider scheduling periodic reviews of action pins. > - Use `workflow` or environment protection rules (branch protection, required reviewers) for sensitive workflows. > > ## Tasks > - Audit all GitHub workflow files (under `.github/workflows/`) for usages of GitHub Actions. > - Audit the root-level `action.yml` (Marketplace entrypoint) for any `uses:` or tool version references. > - Pin each action usage to a specific version (preferably a commit SHA for best security) in both workflow files and in the `action.yml`. > - Ensure there are no `@main`, `@latest`, or other floating tags in action or tool references, including in the composite action steps within `action.yml`. > - Investigate and, if possible, configure Dependabot: > - Enable for GitHub Actions versions in both workflows and the top-level composite action. > - Enable for package dependencies if present (e.g., package.json, requirements.txt). > - Document the pinning standard and GitHub Actions best practices in the repository documentation (e.g., in a `CONTRIBUTING.md` or repository README). > > ## Acceptance Criteria > - All GitHub Actions are pinned to static versions in workflows and within composite action definitions (`action.yml`). > - Dependabot is enabled/configured for actions and dependencies. > - All workflows and composite actions follow GitHub Action best practices (as per the official documentation). > - Team is notified of completed migration and pinning standard. > > </issue_description> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> - Fixes #1 <!-- START COPILOT CODING AGENT TIPS --> --- 💬 We'd love your input! Share your thoughts on Copilot coding agent in our [2 minute survey](https://gh.io/copilot-coding-agent-survey). --------- Co-authored-by: copilot-swe-agent[bot] <[email protected]> Co-authored-by: Miladiir <[email protected]>
There was a problem hiding this comment.
Pull Request Overview
This PR implements GitHub Actions security best practices by pinning all action references to immutable commit SHAs instead of mutable version tags. This change prevents supply chain attacks and ensures reproducible builds. The PR also introduces comprehensive documentation about the pinning standard and maintenance procedures.
Key Changes:
- Pinned
actions/setup-goto commit SHA in action.yml with version comment format - Fixed malformed error message (missing closing quote) in action.yml
- Created CONTRIBUTING.md with detailed documentation on action pinning standards, security best practices, and maintenance guidelines
- Updated README.md example workflow with pinned commit SHAs for all actions
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| action.yml | Pinned actions/setup-go to commit SHA (v5.5.0) and fixed missing quote in error message |
| README.md | Updated example workflow with pinned commit SHAs for all actions and added security notes explaining the pinning practice and Dependabot limitations |
| CONTRIBUTING.md | New file documenting action pinning standards, security best practices, Dependabot configuration, and maintenance procedures for keeping documentation synchronized with action updates |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request was done using github copilot only. I created this pr since according to new github actions best practices and settings the current version of the action does not run anymore in my tailscale gitops repository.
All GitHub Actions must be pinned to immutable commit SHAs to prevent supply chain attacks and ensure reproducible builds.
Changes
action.yml
actions/setup-go@v5→@d35c59abb061a4a6fb18e82ac0862c26744d6ab5(v5.5.0)CONTRIBUTING.md (new)
README.md
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5(v4.3.1)actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830(v4.3.0)tailscale/gitops-acl-action@90d41601ba36b946cf4946ef5a72bf6e16bae14b(v1.3.1)Dependabot
Format
Commit SHA is immutable; version comment aids human readability. Dependabot will automatically update pins weekly.
Note: Dependabot only updates action references in
action.ymland workflow files, not code examples in markdown files. Maintainers should manually update README examples when Dependabot creates update PRs.Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.