Skip to content

change to use pinned version for trusted actions #2222

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ofek1weiss merged 1 commit into from
Apr 28, 2026
+16 −32
Merged

change to use pinned version for trusted actions #2222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 3 additions & 6 deletions .github/workflows/bump-version.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,8 +58,7 @@ jobs:
echo "dbt package version: $DBT_PACKAGE_VERSION"
- name: fail on invalid input
if: ${{ steps.validate-cli-input.outputs.cli-validation == '' || (inputs.dbt-package-version != '' && steps.validate-dbt-package-input.outputs.dbt-package-validation == '') }}
# actions/github-script v8, checked 2026-04-26.
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
uses: actions/github-script@v8
with:
script: |
core.setFailed("Invalid version inputs")
Expand All @@ -75,8 +74,7 @@ jobs:
RELEASE_BRANCH: release/v${{ needs.validate-version.outputs.validated-cli-version }}
steps:
- name: Checkout code
# actions/checkout v6, checked 2026-04-26.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
uses: actions/checkout@v6
- name: Create release branch
run: git checkout -b "$RELEASE_BRANCH"
- name: Initial config
Expand Down Expand Up @@ -110,8 +108,7 @@ jobs:
contents: read
pull-requests: write
steps:
# actions/checkout v6, checked 2026-04-26.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- uses: actions/checkout@v6
- name: create pull request
# repo-sync/pull-request v2.12.1, checked 2026-04-26.
uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5
Expand Down
36 changes: 12 additions & 24 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,14 +45,12 @@ jobs:
contents: read
steps:
- name: Checkout Elementary
# actions/checkout v6, checked 2026-04-26.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
uses: actions/checkout@v6
with:
ref: ${{ needs.validate-release-ref.outputs.release-ref }}

- name: Setup Python
# actions/setup-python v6, checked 2026-04-26.
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
uses: actions/setup-python@v6
Comment on lines +48 to +53
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Non-SHA workflow action refs:"
rg -nP '^\s*uses:\s*[^@]+@(?![0-9a-f]{40}$)\S+' .github/workflows

echo
echo "Current tag -> commit SHA resolution:"
rg -nP '^\s*uses:\s*([^@]+)@([^\s]+)' .github/workflows \
| sed -E 's/.*uses:\s*([^@]+)@([^[:space:]]+).*/\1@\2/' \
| sort -u \
| while IFS='@' read -r repo ref; do
  [[ "$ref" =~ ^[0-9a-f]{40}$ ]] && continue
  sha="$(git ls-remote "https://github.com/${repo}.git" "refs/tags/${ref}" | awk 'NR==1{print $1}')"
  printf "%-45s -> %s\n" "${repo}@${ref}" "${sha:-<tag not found>}"
done

Repository: elementary-data/elementary

Length of output: 4394

🏁 Script executed:

wc -l .github/workflows/release.yml

Repository: elementary-data/elementary

Length of output: 104

🏁 Script executed:

cat -n .github/workflows/release.yml | head -200

Repository: elementary-data/elementary

Length of output: 7254

Pin release workflow actions to immutable commit SHAs, not floating version tags.

Lines 48, 53, 105, 110, 121, 142, 147, 150, 153, 161, 169, and 186 use floating major version tags (e.g., @v6, @v4, @v7) instead of commit SHAs. In release workflows that publish to PyPI and GHCR, this creates non-reproducible and mutable execution behavior—the workflow can behave differently across different release runs if action maintainers update the tag. This weakens supply-chain integrity and auditability.

Replace each action reference with its corresponding commit SHA (you can preserve the version as an inline comment for clarity):

  • actions/checkout@v6de0fac2e4500dabe0009e67214ff5f5447ce83dd
  • actions/setup-python@v6a309ff8b426b58ec0e2a45f0f869d46889d02405
  • actions/upload-artifact@v6b7c566a772e6b6bfb58ed0dc250532a479d7789f
  • docker/setup-qemu-action@v4ce360397dd3f832beb865e1373c09c0e9f86d70a
  • docker/setup-buildx-action@v44d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
  • docker/login-action@v44907a6ddec9925e35a0a9e82d7399ccc52663121
  • docker/metadata-action@v6030e881283bb7a6894de51c315a6bfe6a94e05cf
  • docker/build-push-action@v7bcafcacb16a39f128d818304e6c9c0c18556b85f
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 48 - 53, Replace floating action
tags with the provided immutable commit SHAs to make the release workflow
reproducible: update actions/checkout@v6 to
de0fac2e4500dabe0009e67214ff5f5447ce83dd, actions/setup-python@v6 to
a309ff8b426b58ec0e2a45f0f869d46889d02405, actions/upload-artifact@v6 to
b7c566a772e6b6bfb58ed0dc250532a479d7789f, docker/setup-qemu-action@v4 to
ce360397dd3f832beb865e1373c09c0e9f86d70a, docker/setup-buildx-action@v4 to
4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd, docker/login-action@v4 to
4907a6ddec9925e35a0a9e82d7399ccc52663121, docker/metadata-action@v6 to
030e881283bb7a6894de51c315a6bfe6a94e05cf, and docker/build-push-action@v7 to
bcafcacb16a39f128d818304e6c9c0c18556b85f; you may keep the original `@vX` tag as
an inline comment for clarity.

Copy link
Copy Markdown
Contributor Author

@ofek1weiss ofek1weiss Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since these are trusted vendors, we choose to trust their version tags

Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ofek1weiss, understood — using major version tags for trusted vendors like actions/* and docker/* is a reasonable tradeoff, and I'll respect that decision going forward.

✏️ Learnings added 
Learnt from: ofek1weiss
Repo: elementary-data/elementary PR: 2222
File: .github/workflows/release.yml:48-53
Timestamp: 2026-04-27T15:33:17.054Z
Learning: In the elementary-data/elementary repository, the team intentionally uses floating major version tags (e.g., `v6`, `v4`, `v7`) instead of pinned commit SHAs for GitHub Actions from trusted vendors such as `actions/*` and `docker/*`. Do not flag these as security issues or suggest replacing them with commit SHAs.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

with:
python-version: "3.10"

Expand Down Expand Up @@ -104,14 +102,12 @@ jobs:
id-token: write
steps:
- name: Checkout Elementary
# actions/checkout v6, checked 2026-04-26.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
uses: actions/checkout@v6
with:
ref: ${{ needs.validate-release-ref.outputs.release-ref }}

- name: Setup Python
# actions/setup-python v6, checked 2026-04-26.
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
uses: actions/setup-python@v6
with:
python-version: "3.10"

Expand All @@ -122,8 +118,7 @@ jobs:
run: python -m build --sdist --wheel --outdir dist .

- name: Upload build artifact
# actions/upload-artifact v6, checked 2026-04-26.
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
uses: actions/upload-artifact@v6
with:
name: build
path: dist
Expand All @@ -144,40 +139,34 @@ jobs:

steps:
- name: Checkout Elementary
# actions/checkout v6, checked 2026-04-26.
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
uses: actions/checkout@v6
with:
ref: ${{ needs.validate-release-ref.outputs.release-ref }}

- name: Set up QEMU for multi-platform support
# docker/setup-qemu-action v4, checked 2026-04-26.
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
uses: docker/setup-qemu-action@v4

- name: Set up Docker Buildx for multi-platform support
# docker/setup-buildx-action v4, checked 2026-04-26.
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
uses: docker/setup-buildx-action@v4

- name: Log in to the container registry
# docker/login-action v4, checked 2026-04-26.
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
id: meta
# docker/metadata-action v6, checked 2026-04-26.
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}},value=${{ needs.validate-release-ref.outputs.release-tag }}
type=ref,event=tag

- name: Build and push Docker image
# docker/build-push-action v7, checked 2026-04-26.
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f
uses: docker/build-push-action@v7
with:
context: .
push: true
Expand All @@ -194,8 +183,7 @@ jobs:
contents: write
pull-requests: write
steps:
# actions/checkout v6, checked 2026-04-26.
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- uses: actions/checkout@v6
with:
ref: ${{ needs.validate-release-ref.outputs.release-ref }}
- name: PR master to docs
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/triage-labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,7 @@ jobs:
issues: write
steps:
- name: Update label
# actions/github-script v8, checked 2026-04-26.
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
uses: actions/github-script@v8
with:
script: |
const { owner, repo } = context.repo;
Expand Down
Loading