Skip to content

chore(ci): pin all GitHub Actions to SHA digests#1233

Open
fcanogab wants to merge 1 commit intoNVIDIA:mainfrom
fcanogab:pin-github-actions-sha-v2
Open

chore(ci): pin all GitHub Actions to SHA digests#1233
fcanogab wants to merge 1 commit intoNVIDIA:mainfrom
fcanogab:pin-github-actions-sha-v2

Conversation

@fcanogab
Copy link
Copy Markdown
Contributor

@fcanogab fcanogab commented May 7, 2026

Summary

Replace all mutable version tag references across 23 workflow files with
immutable SHA digests. Pinning to immutable SHAs eliminates the risk of a
compromised or reassigned upstream tag injecting malicious code into CI runs.
Dependabot (configured in #1188) will keep these pins current automatically.

Related Issue

N/A

Changes

  • Pin actions/checkout@v6de0fac2e4500dabe0009e67214ff5f5447ce83dd
  • Pin actions/checkout@v434e114876b0b11c390a56381ad16ebd13914f8d5
  • Pin actions/github-script@v9373c709c69115d41ff229c7e5df9f8788daa9553
  • Pin actions/setup-node@v648b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
  • Pin docker/login-action@v44907a6ddec9925e35a0a9e82d7399ccc52663121
  • Pin actions/upload-artifact@v7043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
  • Pin actions/download-artifact@v4d3f86a106a0bac45b974a628896c90dbdf5c8093
  • Pin softprops/action-gh-release@v23bb12739c298aeb8a4eeaf626c5b8d85266b0e65
  • Pin actions/attest@v4281a49d4cbb0a72c9575a50d18f6deb515a11deb
  • Retain the version tag as an inline comment on each line for human readability and because it's a Dependabot requirement

Testing

  • mise run pre-commit passes (lint, format, license headers, rust:check, rust:lint)
  • Unit tests added/updated — not applicable
  • E2E tests added/updated — not applicable

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated — not applicable

Made with Cursor

@fcanogab @cursoragent
chore(ci): pin all GitHub Actions to SHA digests
e304212 
Replace all mutable version tag references across 23 workflow files
with immutable SHA digests. Retains the version tag as an inline
comment for human readability and because it's a Dependabot requirement.

Pinning to immutable SHAs eliminates the risk of a compromised or
reassigned upstream tag injecting malicious code into CI runs.

Pinned actions:
- actions/checkout@v6     => de0fac2e4500dabe0009e67214ff5f5447ce83dd
- actions/checkout@v4     => 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/github-script@v9 => 373c709c69115d41ff229c7e5df9f8788daa9553
- actions/setup-node@v6   => 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
- docker/login-action@v4  => 4907a6ddec9925e35a0a9e82d7399ccc52663121
- actions/upload-artifact@v7   => 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
- actions/download-artifact@v4 => d3f86a106a0bac45b974a628896c90dbdf5c8093
- softprops/action-gh-release@v2 => 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65
- actions/attest@v4       => 281a49d4cbb0a72c9575a50d18f6deb515a11deb

Dependabot will keep these pins current via the github-actions
ecosystem config added in NVIDIA#1188.

Signed-off-by: Florencio Cano Gabarda <fcanogab@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 7, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 7, 2026

LGTM if you can fix the merge conflicts

@russellb
Copy link
Copy Markdown
Contributor

russellb commented May 9, 2026

It would be nice to look at configuring Dependabot to propose bumps to these. Previously, using something like v6 would have gotten minor updates/fixes automatically, but we'll need to update now.

100% supportive of this change as a best practice, by the way!

I'm happy to propose the bot config after this lands unless there's an objection. (Obviously, those bot updates need to be checked and not blindly merged, or it defeats the purpose.)

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 9, 2026

It would be nice to look at configuring Dependabot to propose bumps to these. Previously, using something like v6 would have gotten minor updates/fixes automatically, but we'll need to update now.

100% supportive of this change as a best practice, by the way!

I'm happy to propose the bot config after this lands unless there's an objection. (Obviously, those bot updates need to be checked and not blindly merged, or it defeats the purpose.)

No concerns on my front, seems fine to me

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fcanogab @TaylorMutch @russellb