Skip to content

feat(DTOSS-13028): Pin GitHub Actions to commit SHAs for enhanced security#311

Merged
nc-shahidazim merged 1 commit into
mainfrom
feat/DTOSS-13028-commit-sha-for-ci
Jun 4, 2026
Merged

feat(DTOSS-13028): Pin GitHub Actions to commit SHAs for enhanced security#311
nc-shahidazim merged 1 commit into
mainfrom
feat/DTOSS-13028-commit-sha-for-ci

Conversation

@nc-shahidazim
Copy link
Copy Markdown
Contributor

@nc-shahidazim nc-shahidazim commented Jun 3, 2026

Description

This PR updates all GitHub Actions workflows to reference actions by immutable commit SHAs instead of version tags (e.g., @V3). This improves the security and integrity of our CI/CD pipelines by ensuring that workflows always run against a known, trusted version of each action.

What’s changed?

  • Updated all uses: references in GitHub Actions workflows:
    • From: owner/action@vX
    • To: owner/action@
  • Verified that each pinned SHA corresponds to a trusted release of the action

Context

GitHub Actions workflows in this repository were previously referencing actions using version tags (e.g., @V3). While convenient, these references are mutable and can change over time, introducing potential security and stability risks.

Recent security assessment guidance recommend pinning dependencies - including GitHub Actions - to specific commit SHAs. This ensures that workflows execute only verified and immutable code, reducing the risk of unintended changes or compromised upstream actions.

This update aligns our CI/CD pipelines with those best practices by making action dependencies explicit, auditable, and tamper-resistant.

Type of changes

  • Refactoring (non-breaking change)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would change existing functionality)
  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • I am familiar with the contributing guidelines
  • I have followed the code style of the project
  • I have added tests to cover my changes
  • I have updated the documentation accordingly
  • This PR is a result of pair or mob programming

Sensitive Information Declaration

To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.

  • I confirm that neither PII/PID nor sensitive data are included in this PR and the codebase changes.

MacMur85
MacMur85 approved these changes Jun 3, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@MacMur85 MacMur85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@nc-shahidazim nc-shahidazim added this pull request to the merge queue Jun 4, 2026
Merged via the queue into main with commit 2a1fb5a Jun 4, 2026
11 checks passed
@nc-shahidazim nc-shahidazim deleted the feat/DTOSS-13028-commit-sha-for-ci branch June 4, 2026 12:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MacMur85 MacMur85 MacMur85 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nc-shahidazim @MacMur85