Skip to content

chore(ci): pin all GitHub Actions to SHA digests#1233

Merged
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
fcanogab:pin-github-actions-sha-v2
May 19, 2026
Merged

chore(ci): pin all GitHub Actions to SHA digests#1233
TaylorMutch merged 1 commit into
NVIDIA:mainfrom
fcanogab:pin-github-actions-sha-v2

Conversation

@fcanogab
Copy link
Copy Markdown
Contributor

@fcanogab fcanogab commented May 7, 2026

Summary

Replace all mutable version tag references across 23 workflow files with
immutable SHA digests. Pinning to immutable SHAs eliminates the risk of a
compromised or reassigned upstream tag injecting malicious code into CI runs.
Dependabot (configured in #1188) will keep these pins current automatically.

Related Issue

N/A

Changes

  • Pin actions/checkout@v6de0fac2e4500dabe0009e67214ff5f5447ce83dd
  • Pin actions/checkout@v434e114876b0b11c390a56381ad16ebd13914f8d5
  • Pin actions/github-script@v9373c709c69115d41ff229c7e5df9f8788daa9553
  • Pin actions/setup-node@v648b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
  • Pin docker/login-action@v44907a6ddec9925e35a0a9e82d7399ccc52663121
  • Pin actions/upload-artifact@v7043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
  • Pin actions/download-artifact@v4d3f86a106a0bac45b974a628896c90dbdf5c8093
  • Pin softprops/action-gh-release@v23bb12739c298aeb8a4eeaf626c5b8d85266b0e65
  • Pin actions/attest@v4281a49d4cbb0a72c9575a50d18f6deb515a11deb
  • Retain the version tag as an inline comment on each line for human readability and because it's a Dependabot requirement

Testing

  • mise run pre-commit passes (lint, format, license headers, rust:check, rust:lint)
  • Unit tests added/updated — not applicable
  • E2E tests added/updated — not applicable

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)
  • Architecture docs updated — not applicable

Made with Cursor

@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 7, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 7, 2026

LGTM if you can fix the merge conflicts

@russellb
Copy link
Copy Markdown
Contributor

russellb commented May 9, 2026

It would be nice to look at configuring Dependabot to propose bumps to these. Previously, using something like v6 would have gotten minor updates/fixes automatically, but we'll need to update now.

100% supportive of this change as a best practice, by the way!

I'm happy to propose the bot config after this lands unless there's an objection. (Obviously, those bot updates need to be checked and not blindly merged, or it defeats the purpose.)

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 9, 2026

It would be nice to look at configuring Dependabot to propose bumps to these. Previously, using something like v6 would have gotten minor updates/fixes automatically, but we'll need to update now.

100% supportive of this change as a best practice, by the way!

I'm happy to propose the bot config after this lands unless there's an objection. (Obviously, those bot updates need to be checked and not blindly merged, or it defeats the purpose.)

No concerns on my front, seems fine to me

@fcanogab fcanogab force-pushed the pin-github-actions-sha-v2 branch from e304212 to 06d7f0c Compare May 16, 2026 14:11
@johntmyers
Copy link
Copy Markdown
Collaborator

johntmyers commented May 19, 2026

@fcanogab if you could rebase once more so we can 👍 and merge

@fcanogab @cursoragent
chore(ci): pin all GitHub Actions to SHA digests
66f6dff 
Replace all mutable version tag references across 23 workflow files
with immutable SHA digests. Retains the version tag as an inline
comment for human readability and because it's a Dependabot requirement.

Pinning to immutable SHAs eliminates the risk of a compromised or
reassigned upstream tag injecting malicious code into CI runs.

Pinned actions:
- actions/checkout@v6     => de0fac2e4500dabe0009e67214ff5f5447ce83dd
- actions/checkout@v4     => 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/github-script@v9 => 373c709c69115d41ff229c7e5df9f8788daa9553
- actions/setup-node@v6   => 48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
- docker/login-action@v4  => 4907a6ddec9925e35a0a9e82d7399ccc52663121
- actions/upload-artifact@v7   => 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
- actions/download-artifact@v4 => d3f86a106a0bac45b974a628896c90dbdf5c8093
- softprops/action-gh-release@v2 => 3bb12739c298aeb8a4eeaf626c5b8d85266b0e65
- actions/attest@v4       => 281a49d4cbb0a72c9575a50d18f6deb515a11deb

Dependabot will keep these pins current via the github-actions
ecosystem config added in NVIDIA#1188.

Signed-off-by: Florencio Cano Gabarda <fcanogab@redhat.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
@fcanogab fcanogab force-pushed the pin-github-actions-sha-v2 branch from 06d7f0c to 66f6dff Compare May 19, 2026 05:09
@fcanogab
Copy link
Copy Markdown
Contributor Author

fcanogab commented May 19, 2026

@johntmyers done! :)

@TaylorMutch TaylorMutch merged commit f9435b4 into NVIDIA:main May 19, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@maxamillion maxamillion Awaiting requested review from maxamillion maxamillion is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fcanogab @TaylorMutch @russellb @johntmyers