Skip to content

[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags #27244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daxian-dbw merged 1 commit into from
Apr 9, 2026
Merged

[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags #27244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/build/ci/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ runs:
if: github.event_name != 'PullRequest'
run: Write-Host "##vso[build.updatebuildnumber]$env:BUILD_SOURCEBRANCHNAME-$env:BUILD_SOURCEVERSION-$((get-date).ToString("yyyyMMddhhmmss"))"
shell: pwsh
- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: ./global.json
- name: Bootstrap
Expand All @@ -34,7 +34,7 @@ runs:
Invoke-CIBuild
shell: pwsh
- name: Upload build artifact
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: build
path: ${{ runner.workspace }}/build
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/get-changed-files/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:
steps:
- name: Get changed files
id: get-files
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const eventTypes = '${{ inputs.event-types }}'.split(',').map(t => t.trim());
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/path-filters/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ runs:

- name: Check if GitHubWorkflowChanges is present
id: filter
uses: actions/[email protected]
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
FILES_JSON: ${{ steps.get-files.outputs.files }}
with:
Expand Down
8 changes: 4 additions & 4 deletions .github/actions/test/linux-packaging/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ runs:
Show-Environment
shell: pwsh

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Expand Down Expand Up @@ -97,21 +97,21 @@ runs:
shell: pwsh

- name: Upload deb packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-deb
path: ${{ runner.workspace }}/packages/*.deb
if-no-files-found: ignore

- name: Upload rpm packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-rpm
path: ${{ runner.workspace }}/packages/*.rpm
if-no-files-found: ignore

- name: Upload tar.gz packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-tar
path: ${{ runner.workspace }}/packages/*.tar.gz
Expand Down
6 changes: 3 additions & 3 deletions .github/actions/test/nix/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -39,7 +39,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: ./global.json

Expand All @@ -53,7 +53,7 @@ runs:
Write-LogGroupEnd -Title 'Bootstrap'
- name: Extract Files
uses: actions/[email protected]
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
env:
DESTINATION_FOLDER: "${{ github.workspace }}/bins"
ARCHIVE_FILE_PATTERNS: "${{ github.workspace }}/build/build.zip"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/test/process-pester-results/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:

- name: Upload testResults artifact
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: junit-pester-${{ inputs.name }}
path: ${{ runner.workspace }}/testResults
4 changes: 2 additions & 2 deletions .github/actions/test/windows/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -39,7 +39,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: .\global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/analyze-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
with:
fetch-depth: '0'

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
# You can define any steps you want, and they will run before the agent starts.
# If you do not check out your code, Copilot will do this for you.
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ jobs:

steps:
- name: Check out the repository
uses: actions/checkout@v2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Verify PR has label starting with 'cl-'
id: verify-labels
uses: actions/github-script@v6
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
Comment on lines 20 to +25
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow update goes beyond tag hardening: actions/checkout moves from @v2 to a SHA annotated as # v6.0.2, and actions/github-script moves from @v6 to # v8.0.0. If these major upgrades are intentional, please update the backport description/testing notes accordingly; otherwise pin SHAs corresponding to the previously used major versions to minimize behavior change on the release branch.

Copilot uses AI. Check for mistakes.
with:
script: |
const labels = context.payload.pull_request.labels.map(label => label.name.toLowerCase());
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/linux-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
Comment on lines 56 to 60
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is claimed to only harden tags, but it upgrades actions/checkout across multiple jobs (previously a mix of v4/v5 tags, now pinned as # v6.0.2). For a release-branch backport, consider pinning SHAs that correspond to the existing major versions unless the upgrade is intentional and explicitly documented/tested.

Copilot uses AI. Check for mistakes.

Expand All @@ -74,7 +74,7 @@ jobs:
contents: read
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Check for merge conflict markers
uses: "./.github/actions/infrastructure/merge-conflict-checker"
Expand All @@ -86,7 +86,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000

Expand All @@ -101,7 +101,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated CI
Expand All @@ -118,7 +118,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated CI
Expand All @@ -135,7 +135,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated Others
Expand All @@ -152,7 +152,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated Others
Expand Down Expand Up @@ -187,7 +187,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

Expand Down Expand Up @@ -262,7 +262,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Linux Packaging
Expand Down
20 changes: 10 additions & 10 deletions .github/workflows/macos-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Comment on lines 56 to 59
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow is described as a tag->SHA hardening backport, but it also upgrades actions/checkout to v6.x (per the inline comment). For release/v7.4.15, consider pinning the SHA for the previously used checkout major version unless the upgrade is intentional and explicitly called out/tested.

Copilot uses AI. Check for mistakes.
- name: Change Detection
id: filter
Expand All @@ -70,7 +70,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Build
Expand All @@ -84,7 +84,7 @@ jobs:
runs-on: macos-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated CI
Expand All @@ -101,7 +101,7 @@ jobs:
runs-on: macos-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated CI
Expand All @@ -118,7 +118,7 @@ jobs:
runs-on: macos-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated Others
Expand All @@ -135,7 +135,7 @@ jobs:
runs-on: macos-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated Others
Expand All @@ -161,10 +161,10 @@ jobs:
- macos-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json
Comment on lines 163 to 169
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the packaging job, actions/setup-dotnet is being upgraded (previously @v4, now pinned as # v5.2.0). If this backport is intended to only pin existing versions, pin a commit corresponding to the existing v4 tag; otherwise please call out the major upgrade and ensure it’s covered by CI for this release branch.

Copilot uses AI. Check for mistakes.
- name: Bootstrap packaging
Expand Down Expand Up @@ -223,7 +223,7 @@ jobs:
testResultsFolder: "${{ runner.workspace }}/testResults"
- name: Upload package artifact
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: macos-package
path: "*.pkg"
Expand All @@ -240,4 +240,4 @@ jobs:
if: always()
uses: PowerShell/compliance/.github/workflows/[email protected]
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR aims to harden action references by pinning to immutable SHAs, but ready_to_merge still references PowerShell/compliance by a mutable tag (@v1.0.0). To fully harden dependencies, pin this reusable workflow to a full commit SHA as well (and keep the # v1.0.0 comment if desired).

Suggested change
uses: PowerShell/compliance/.github/workflows/[email protected]
uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@<FULL_40_CHARACTER_COMMIT_SHA> # v1.0.0

Copilot uses AI. Check for mistakes.
with:
needs_context: ${{ toJson(needs) }}
needs_context: ${{ toJson(needs) }}
2 changes: 1 addition & 1 deletion .github/workflows/verify-markdown-links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Comment on lines 24 to +25
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change upgrades actions/checkout from @v4 to a SHA annotated as # v6.0.2, which is more than tag hardening and could introduce behavioral changes. Consider pinning the SHA for the existing v4 release (or update the PR description/testing notes to explicitly include the major upgrade).

Copilot uses AI. Check for mistakes.

- name: Verify markdown links
id: verify
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/windows-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

Comment on lines 60 to 62
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description says this backport only replaces mutable tags with pinned SHAs, but this workflow effectively upgrades actions/checkout (from v4.1.0 to v6.x per the inline version comment). If the upgrade is intentional, please document it and ensure CI coverage; otherwise pin the SHA for the existing v4.1.0 (or v4) checkout version to keep behavior unchanged on the release branch.

Copilot uses AI. Check for mistakes.
- name: Change Detection
id: filter
Expand All @@ -73,7 +73,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Build
Expand All @@ -87,7 +87,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Unelevated CI
Expand All @@ -104,7 +104,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Elevated CI
Expand All @@ -121,7 +121,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Unelevated Others
Expand All @@ -138,7 +138,7 @@ jobs:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v4.1.0
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Windows Elevated Others
Expand Down
Loading
Loading