[Security] Pinned github actions to prevent supply chain attacks #11177
+42
−42
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
|
ishaan-jaff
changed the title
ishaan-jaff
requested changes
May 29, 2025
| @@ -9,7 +9,7 @@ jobs: | |||
| auto_update_price_and_context_window: | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: actions/checkout@v3 | |||
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |||
There was a problem hiding this comment.
please can we see the sha source for all these. I'd like to validate the shas are valid
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Title
This PR implements pinning for GitHub Actions as used in this repository. Pinning GitHub Actions is a best practice recommended by GitHub as pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release.
Not pinning your GitHub Actions exposes you to supply chain attacks, as was recently the case with the tj-actions/changed-files action.
The versions that I've pinned is the same versions that is currently in use by the repository.
Relevant issues
Pre-Submission checklist
Please complete all items before asking a LiteLLM maintainer to review your PR
tests/litellm/directory, Adding at least 1 test is a hard requirement - see detailsmake test-unitType
🆕 New Feature
🐛 Bug Fix
🧹 Refactoring
📖 Documentation
🚄 Infrastructure
✅ Test
Changes
Following actions were pinned:
• .github/workflows/ghcr_deploy.yml:130 - build-and-push-image-ee@Checkout repository@actions/checkout@v4
• .github/workflows/ghcr_deploy.yml:62 - docker-hub-deploy@Build and push litellm-database image@docker/build-push-action@v5
• .github/workflows/ghcr_deploy.yml:342 - build-and-push-helm-chart@Bump release version@christian-draeger/increment-semantic-version@1.1.0
• .github/workflows/load_test.yml:17 - build@Setup Python@actions/setup-python@v2
• .github/workflows/reset_stable.yml:13 - update-stable-branch@Checkout repository@actions/checkout@v3
• .github/workflows/stale.yml:12 - stale@actions/stale@v8
• .github/workflows/test-linting.yml:16 - lint@Set up Python@actions/setup-python@v4
• .github/workflows/ghcr_helm_deploy.yml:21 - build-and-push-helm-chart@Checkout repository@actions/checkout@v4
• .github/workflows/publish-migrations.yml:186 - publish-migrations@Create Pull Request@peter-evans/create-pull-request@v5
• .github/workflows/ghcr_deploy.yml:46 - docker-hub-deploy@Set up Docker Buildx@docker/setup-buildx-action@v3
• .github/workflows/ghcr_deploy.yml:259 - build-and-push-image-spend-logs@Checkout repository@actions/checkout@v4
• .github/workflows/ghcr_deploy.yml:373 - release@Create release@actions/github-script@v6
• .github/workflows/ghcr_helm_deploy.yml:48 - build-and-push-helm-chart@Bump release version@christian-draeger/increment-semantic-version@1.1.0
• .github/workflows/helm_unit_test.yml:17 - unit-test@Set up Helm 3.11.1@azure/setup-helm@v1
• .github/workflows/label-mlops.yml:13 - add-mlops-label@Check if ML Ops Team is selected@actions-ecosystem/action-add-labels@v1
• .github/workflows/load_test.yml:15 - build@Checkout@actions/checkout@v1
• .github/workflows/test-linting.yml:21 - lint@Install Poetry@snok/install-poetry@v1
• .github/workflows/ghcr_deploy.yml:55 - docker-hub-deploy@Build and push@docker/build-push-action@v5
• .github/workflows/ghcr_deploy.yml:70 - docker-hub-deploy@Build and push litellm-spend-logs image@docker/build-push-action@v5
• .github/workflows/ghcr_deploy.yml:173 - build-and-push-image-database@Checkout repository@actions/checkout@v4
• .github/workflows/ghcr_deploy.yml:300 - build-and-push-helm-chart@Checkout repository@actions/checkout@v4
• .github/workflows/ghcr_helm_deploy.yml:36 - build-and-push-helm-chart@Get LiteLLM Latest Tag@WyriHaximus/github-action-get-previous-tag@v1.3.0
• .github/workflows/helm_unit_test.yml:14 - unit-test@Checkout@actions/checkout@v2
• .github/workflows/test-litellm.yml:21 - test@Set up Python@actions/setup-python@v4
• .github/workflows/test-litellm.yml:26 - test@Install Poetry@snok/install-poetry@v1
• .github/workflows/auto_update_price_and_context_window.yml:12 - auto_update_price_and_context_window@actions/checkout@v3
• .github/workflows/ghcr_deploy.yml:49 - docker-hub-deploy@Login to Docker Hub@docker/login-action@v3
• .github/workflows/ghcr_deploy.yml:398 - release@Fetch Release Notes@actions/github-script@v6
• .github/workflows/test-litellm.yml:13 - test@actions/checkout@v4
• .github/workflows/ghcr_deploy.yml:38 - docker-hub-deploy@Checkout@actions/checkout@v4
• .github/workflows/ghcr_deploy.yml:216 - build-and-push-image-non_root@Checkout repository@actions/checkout@v4
• .github/workflows/publish-migrations.yml:48 - publish-migrations@actions/checkout@v3
• .github/workflows/publish-migrations.yml:51 - publish-migrations@Set up Python@actions/setup-python@v4
• .github/workflows/test-linting.yml:13 - lint@actions/checkout@v4
• .github/workflows/load_test.yml:52 - build@Upload CSV as Asset to Latest Release@xresloader/upload-to-github-release@v1
• .github/workflows/ghcr_deploy.yml:43 - docker-hub-deploy@Set up QEMU@docker/setup-qemu-action@v3
• .github/workflows/read_pyproject_version.yml:14 - read-version@Checkout code@actions/checkout@v2
• .github/workflows/ghcr_deploy.yml:85 - build-and-push-image@Checkout repository@actions/checkout@v4
• .github/workflows/load_test.yml:36 - build@Run Load Test@BerriAI/locust-github-action@master
• .github/workflows/main.yml:12 - publish-dev-release@Checkout code@actions/checkout@v2
• .github/workflows/main.yml:15 - publish-dev-release@Set up Python@actions/setup-python@v2
• .github/workflows/read_pyproject_version.yml:17 - read-version@Set up Python@actions/setup-python@v2