fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks#1088
Open
simonkurtz-MSFT wants to merge 5 commits intogithub:stagedfrom
Open
fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks#1088simonkurtz-MSFT wants to merge 5 commits intogithub:stagedfrom
simonkurtz-MSFT wants to merge 5 commits intogithub:stagedfrom
Conversation
…in attacks Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com>
…-tag-usage fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks
simonkurtz-MSFT
requested review from
aaronpowell and
brunoborges
as code owners
simonkurtz-MSFT
commented
Mar 19, 2026
| echo "path=dist.zip" >> "$GITHUB_OUTPUT" | ||
| - name: Upload build artifact | ||
| uses: actions/upload-artifact@v3 | ||
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 |
Author
There was a problem hiding this comment.
First-party version update rather than pinning to what was in v3
simonkurtz-MSFT
commented
Mar 19, 2026
| steps: | ||
| - name: Download build artifact | ||
| uses: actions/download-artifact@v3 | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 |
Author
There was a problem hiding this comment.
First-party version update rather than pinning to what was in v3
simonkurtz-MSFT
commented
Mar 19, 2026
| ```yaml | ||
| - name: Cache Node.js modules | ||
| uses: actions/cache@v3 | ||
| uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4 |
Author
There was a problem hiding this comment.
First-party version update rather than pinning to what was in v3
Contributor
There was a problem hiding this comment.
Pull request overview
Pins GitHub Actions uses: references to immutable commit SHAs (with readable version comments) to reduce supply-chain risk from mutable tags/branches, and updates the repo’s CI/CD guidance to require SHA pinning.
Changes:
- Updated multiple
.github/workflows/*.ymlfiles to use full commit SHAs instead of mutable refs like@v*/@main. - Strengthened GitHub Actions guidance (instructions + agents) to require SHA pinning and explain the rationale.
- Updated workflow examples across docs/agents to reflect SHA-pinned action usage.
Reviewed changes
Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| instructions/github-actions-ci-cd-best-practices.instructions.md | Updates workflow examples and guidance to require SHA pinning; adds supply-chain rationale. |
| agents/github-actions-expert.agent.md | Tightens “Action Pinning” guidance to require full SHAs and updates checklist/summary text. |
| agents/se-gitops-ci-specialist.agent.md | Updates embedded workflow snippets to use SHA-pinned actions. |
| .github/workflows/validate-readme.yml | Pins checkout/setup-node/sticky-comment actions to SHAs. |
| .github/workflows/validate-agentic-workflows-pr.yml | Pins checkout/setup-cli/sticky-comment actions to SHAs. |
| .github/workflows/publish.yml | Pins checkout/setup-node to SHAs. |
| .github/workflows/deploy-website.yml | Pins checkout/setup-node/pages actions to SHAs. |
| .github/workflows/copilot-setup-steps.yml | Pins checkout to a SHA. |
| .github/workflows/contributors.yml | Pins checkout/setup-node/create-pull-request to SHAs. |
| .github/workflows/codespell.yml | Pins checkout/codespell action to SHAs. |
| .github/workflows/check-pr-target.yml | Pins github-script to a SHA. |
| .github/workflows/check-plugin-structure.yml | Pins checkout/github-script to SHAs. |
| .github/workflows/check-line-endings.yml | Pins checkout to a SHA. |
| - **Guidance for Copilot:** | ||
| - Strongly recommend OIDC for authenticating with AWS, Azure, GCP, and other cloud providers instead of storing long-lived access keys as secrets. | ||
| - Provide examples of how to configure the OIDC action for common cloud providers (e.g., `aws-actions/configure-aws-credentials@v4`). | ||
| - Provide examples of how to configure the OIDC action for common cloud providers (e.g., `aws-actions/configure-aws-credentials@<SHA> # v4.x.x`). Always pin to a full commit SHA. |
| ## Best Practices Summary | ||
|
|
||
| 1. Pin actions to specific versions | ||
| 1. Pin actions to full commit SHAs with version comments (e.g., `@<sha> # vX.Y.Z`) — never use mutable tags or branches |
Author
|
The 1P actions |
Author
|
Hi @aaronpowell & @brunoborges, could you please kick off the PR target branch check again? I changed it from |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Checklist
npm startand verified thatREADME.mdis up to date.Description
Mutable tag references (
@v4,@main,@latest) in GitHub Actions are a supply chain attack vector — a tag can be silently moved to a malicious commit by anyone with write access to the action's repo. Replaces all such references with full commit SHAs plus human-readable version comments across workflow files and documentation.Fixes #909
Before:
After:
Workflow files (
.github/workflows/)actions/checkout,actions/setup-node,actions/github-script,actions/configure-pages,actions/upload-pages-artifact,actions/deploy-pages,marocchino/sticky-pull-request-comment,peter-evans/create-pull-request,codespell-project/actions-codespell,github/gh-aw/actions/setup-cliDocumentation & instructions
instructions/github-actions-ci-cd-best-practices.instructions.md: Strengthened guidance to require SHA pinning (not just recommend it), added supply chain attack rationale, updated all code examples with real SHAsagents/github-actions-expert.agent.md: Changed Action Pinning recommendation from "use@v4for balance" to requiring full SHA; updated checklist and best practices summaryagents/se-gitops-ci-specialist.agent.md: Updated all inline workflow examples to use SHA-pinned referencesType of Contribution
Additional Notes
Auto-generated
.lock.ymlfiles were intentionally excluded — those are machine-managed and not subject to manual pinning.By submitting this pull request, I confirm that my contribution abides by the Code of Conduct and will be licensed under the MIT License.