Skip to content

[release/v7.5.6] [StepSecurity] ci: Harden GitHub Actions tags #27239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daxian-dbw merged 1 commit into from
Apr 9, 2026
Merged

[release/v7.5.6] [StepSecurity] ci: Harden GitHub Actions tags #27239

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/build/ci/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ runs:
if: github.event_name != 'PullRequest'
run: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))"
shell: pwsh
- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: ./global.json
- name: Bootstrap
Expand All @@ -34,7 +34,7 @@ runs:
Invoke-CIBuild
shell: pwsh
- name: Upload build artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: build
path: ${{ runner.workspace }}/build
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/get-changed-files/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:
steps:
- name: Get changed files
id: get-files
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const eventTypes = '${{ inputs.event-types }}'.split(',').map(t => t.trim());
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/path-filters/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ runs:

- name: Check if GitHubWorkflowChanges is present
id: filter
uses: actions/[email protected]
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
FILES_JSON: ${{ steps.get-files.outputs.files }}
with:
Expand Down
8 changes: 4 additions & 4 deletions .github/actions/test/linux-packaging/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ runs:
Show-Environment
shell: pwsh

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Expand Down Expand Up @@ -97,21 +97,21 @@ runs:
shell: pwsh

- name: Upload deb packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-deb
path: ${{ runner.workspace }}/packages/*.deb
if-no-files-found: ignore

- name: Upload rpm packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-rpm
path: ${{ runner.workspace }}/packages/*.rpm
if-no-files-found: ignore

- name: Upload tar.gz packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-tar
path: ${{ runner.workspace }}/packages/*.tar.gz
Expand Down
6 changes: 3 additions & 3 deletions .github/actions/test/nix/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -39,7 +39,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: ./global.json

Expand All @@ -53,7 +53,7 @@ runs:
Write-LogGroupEnd -Title 'Bootstrap'
- name: Extract Files
uses: actions/[email protected]
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
env:
DESTINATION_FOLDER: "${{ github.workspace }}/bins"
ARCHIVE_FILE_PATTERNS: "${{ github.workspace }}/build/build.zip"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/test/process-pester-results/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:

- name: Upload testResults artifact
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: junit-pester-${{ inputs.name }}
path: ${{ runner.workspace }}/testResults
4 changes: 2 additions & 2 deletions .github/actions/test/windows/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -39,7 +39,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: .\global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/analyze-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
with:
fetch-depth: '0'

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
# You can define any steps you want, and they will run before the agent starts.
# If you do not check out your code, Copilot will do this for you.
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow changes actions/checkout from @v5 to a SHA annotated as v6.0.2. If this PR is intended to only pin tags, it should pin the commit that corresponds to v5 instead; otherwise, please document that this is a major-version action upgrade and validate any behavior changes (especially since this runs for Copilot environment setup).

Copilot uses AI. Check for mistakes.
with:
fetch-depth: 1000

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ jobs:

steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Verify PR has label starting with 'cl-'
id: verify-labels
uses: actions/github-script@v6
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
Comment on lines +21 to +25
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow upgrades third-party actions while pinning them: actions/checkout goes from @v2 to a SHA annotated as v6.0.2, and actions/github-script goes from @v6 to a SHA annotated as v8.0.0. If the intent is supply-chain hardening only, pin the commits corresponding to the previously used majors; otherwise, call out these major upgrades explicitly and verify compatibility on the release branch.

Copilot uses AI. Check for mistakes.
with:
script: |
const labels = context.payload.pull_request.labels.map(label => label.name.toLowerCase());
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/linux-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change upgrades actions/checkout to a commit annotated as v6.0.2 across the workflow (some jobs previously used v4/v5/v4.1.0). If the goal is only to pin existing tags, pin the commits matching the original versions to avoid introducing breaking changes into the release branch.

Copilot uses AI. Check for mistakes.
with:
persist-credentials: false

Expand All @@ -74,7 +74,7 @@ jobs:
contents: read
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Check for merge conflict markers
uses: "./.github/actions/infrastructure/merge-conflict-checker"
Expand All @@ -86,7 +86,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000

Expand All @@ -101,7 +101,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated CI
Expand All @@ -118,7 +118,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated CI
Expand All @@ -135,7 +135,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated Others
Expand All @@ -152,7 +152,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated Others
Expand All @@ -175,7 +175,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

Expand Down Expand Up @@ -250,7 +250,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Linux Packaging
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/macos-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow pins actions/checkout to a SHA annotated as v6.0.2, which upgrades from the prior @v5. For a release branch backport focused on hardening, consider pinning the commit for the existing major version instead (or explicitly treat this as an action upgrade and adjust risk/testing accordingly).

Copilot uses AI. Check for mistakes.

- name: Change Detection
id: filter
Expand All @@ -72,7 +72,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Build
Expand All @@ -86,7 +86,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated CI
Expand All @@ -103,7 +103,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated CI
Expand All @@ -120,7 +120,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated Others
Expand All @@ -137,7 +137,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated Others
Expand All @@ -164,10 +164,10 @@ jobs:
- macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step changes actions/setup-dotnet from @v4 to a SHA annotated as v5.2.0 (major-version upgrade). If the intent is tag hardening only, pin the v4 commit instead; otherwise, the PR description/risk/testing should explicitly cover the action upgrade on the release branch.

Copilot uses AI. Check for mistakes.
with:
global-json-file: ./global.json
- name: Bootstrap packaging
Expand Down Expand Up @@ -226,7 +226,7 @@ jobs:
testResultsFolder: "${{ runner.workspace }}/testResults"
- name: Upload package artifact
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: macos-package
path: "*.pkg"
Expand All @@ -242,4 +242,4 @@ jobs:
if: always()
uses: PowerShell/compliance/.github/workflows/[email protected]
with:
needs_context: ${{ toJson(needs) }}
needs_context: ${{ toJson(needs) }}
2 changes: 1 addition & 1 deletion .github/workflows/verify-markdown-links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow now pins actions/checkout to a commit annotated as v6.0.2 (previously @v4). If this PR is intended to only harden existing action references, consider pinning the commit for the previously used major version to avoid unreviewed behavior changes.

Copilot uses AI. Check for mistakes.

- name: Verify markdown links
id: verify
Expand Down
14 changes: 7 additions & 7 deletions .github/workflows/windows-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file replaces actions/[email protected] with a SHA annotated as v6.0.2, which is a major-version upgrade (not just tag hardening). On a release branch, it would be safer to pin the commit for the previously used version, or explicitly document/justify the upgrade and ensure CI coverage for the changed checkout behavior.

Copilot uses AI. Check for mistakes.

- name: Change Detection
id: filter
Expand All @@ -73,7 +73,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Build
Expand All @@ -87,7 +87,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Unelevated CI
Expand All @@ -104,7 +104,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Elevated CI
Expand All @@ -121,7 +121,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Unelevated Others
Expand All @@ -138,7 +138,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Elevated Others
Expand Down Expand Up @@ -185,4 +185,4 @@ jobs:
if: always()
uses: PowerShell/compliance/.github/workflows/[email protected]
with:
needs_context: ${{ toJson(needs) }}
needs_context: ${{ toJson(needs) }}
Loading
Loading