Skip to content

Lock GitHub Actions dependencies to SHAs for security and predictability #1261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 12, 2025
Merged

Lock GitHub Actions dependencies to SHAs for security and predictability #1261

merged 1 commit into from
Aug 12, 2025

Conversation

larouxn
Copy link
Contributor

@larouxn larouxn commented Aug 11, 2025
edited
Loading

What is this PR doing?

Locks the three GitHub Actions dependencies to specific versions via said versions' SHAs.

image

Why is this PR doing such?

  1. Locking to SHAs is best practice for security and sanity as we know which version is being used. Without doing Actions will simply use whatever latest version is available, a silent bump of sorts. For example, actions/checkout just released a v4.3.0 today, which will be used automatically.
    2. With locking to SHAs we should receive (albeit somewhat rare) Dependabot upgrade PRs for said Actions dependencies which version is in use will be explicit and thus can be updated explicitly. For example, actions/checkout v5.0.0 was just released today. After this PR I expect we'll receive a bump PR to such. We should receive bumps even without locking but such would only be for major versions. Actions would use latest version for a given major versions per run thus minor and patch versions automatically bump transiently.

Reference

@larouxn larouxn changed the title Lock GitHub Actions dependencies to SHAs for security and sanity Lock GitHub Actions dependencies to SHAs for security and predictability Aug 11, 2025
@larouxn larouxn force-pushed the lock_github_actions_dependencies_to_SHAs branch 2 times, most recently from 30527f0 to 9b20563 Compare August 11, 2025 22:13
@etiennebarrie
Copy link
Member

We very rarely had issues with GitHub Actions, the only one I can find is 9a4e23e and it was an issue of a workflow we weren't directly using.
In addition to the regular dependency update fatigue, shouldn't it also lead us to upgrade to potentially less stable versions than the releases? Can we somehow get the best of both worlds? It seems we can't.

I guess it's not ideal but it probably makes sense to do it anyway, we have few of them and they don't update all that often (ruby/setup-ruby is the most active). Thanks for your contribution.

Actually looking more into it, there is already a concept of immutable action package: https://github.com/Shopify/maintenance_tasks/actions/runs/16751139569/job/47421412230#step:1:28
But I tried and @v4 by itself is not immutable, we did get v4.3.0 in this workflow run.
So maybe we could keep the tags for these two? And it seems we would get the upside of only using released versions while ensuring they also don't change. Maybe? The guarantees don't seem strong, so I'm tempted to just merge your PR as is.

@larouxn
Copy link
Contributor Author

larouxn commented Aug 12, 2025
edited
Loading

In addition to the regular dependency update fatigue, shouldn't it also lead us to upgrade to potentially less stable versions than the releases? Can we somehow get the best of both worlds? It seems we can't.

I guess it's not ideal but it probably makes sense to do it anyway, we have few of them and they don't update all that often (ruby/setup-ruby is the most active). Thanks for your contribution.

Definitely a concern, having more upgrade PRs to merge. That said, as you mentioned, of the three packages setup-ruby is more-or-less the only one with any sort of frequent updates.

  • setup-ruby has had quite a few updates in the last couple months though mostly we can expect bumps every 2 months re: new Ruby versions being released (Ruby release schedule noted)
  • actions/checkout just had its first two releases (v4.3.0 and v5.0.0) since Oct 2024 (+9 months)
  • actions/stale's last update was this past January (~9 months ago) and the release prior to that was in December 2023, over year prior to the most recent release

Thus, I think (am hoping) this won't generate too much noise/toil. I suppose our one recourse could be to drop the setup-ruby SHA-ification as its releases typically just add functionality for new Ruby releases and rarely make any breaking changes. The other two have a higher (albeit minor) chance of breaking something.

If you'd like me to drop the setup-ruby change I can. Glad to merge either way.

Speaking of GitHub Actions Dependabot, I was surprised to see that Dependabot found the actions/checkout v4 -> v5 upgrade and said it created a bump PR but it did not create a PR. Didn't even create a branch. It showed up eventually.

EDIT: Pushed commit up again with refined message as to not be inaccurate. 🙏

@larouxn
Lock GitHub Actions dependencies to SHAs for security and predictability
87000a5 
Locking to SHAs is best practice for security and sanity as we know which version is being used. Without doing Actions will simply use whatever latest version is available, a silent bump of sorts. For example, actions/checkout just released a v4.3.0 today, which will be used automatically.
@larouxn larouxn force-pushed the lock_github_actions_dependencies_to_SHAs branch from 9b20563 to 87000a5 Compare August 12, 2025 13:58
@etiennebarrie etiennebarrie merged commit a0e391b into Shopify:main Aug 12, 2025
14 checks passed
@larouxn larouxn deleted the lock_github_actions_dependencies_to_SHAs branch August 12, 2025 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@etiennebarrie etiennebarrie etiennebarrie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@larouxn @etiennebarrie