Skip to content

Update action versions in pr-preview.yml #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 13, 2025
Merged

Update action versions in pr-preview.yml #51

merged 3 commits into from
Oct 13, 2025

Conversation

dacoburn
Copy link
Collaborator

GitHub Actions workflows were failing due to unpinned action references. The security policy requires all actions to be pinned to full-length commit SHAs, but the workflows were using semantic version tags (e.g., @v4, @v5).

Root Cause

Actions were referenced using semantic version tags (actions/checkout@v4, actions/setup-python@v5, etc.) instead of full commit SHAs. Additionally, inline comments containing @vX.X.X patterns were being detected by the security scanner as unpinned action references, even though the actual action uses were correctly pinned.

Fix

  • Pinned all GitHub Actions to full-length commit SHAs:
    • actions/checkout@v4eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
    • actions/setup-python@v5f677139bbe7f9c59b41e40162b753c062f5d49a3
    • pypa/gh-action-pypi-publish@v1.12.467339c736fd9354cd4f8cb0b744f2b82a74b5c70
    • actions/github-script@v760a0d83039c74a4aee543508d2ffcb1c3799cdea
  • Reformatted inline comments to avoid @vX.X.X pattern detection (e.g., # checkout v4.2.1 instead of # v4.2.1)

Public Changelog

N/A

@dacoburn dacoburn requested a review from a team as a code owner October 13, 2025 23:14
@dacoburn dacoburn requested review from Raynos and jghebre and removed request for a team October 13, 2025 23:14
@dc-larsen dc-larsen self-requested a review October 13, 2025 23:37
@dacoburn dacoburn merged commit 52053ab into main Oct 13, 2025
4 of 5 checks passed
@dacoburn dacoburn deleted the doug/fix-workflows-remove-versions branch October 13, 2025 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dc-larsen dc-larsen dc-larsen approved these changes

@Raynos Raynos Awaiting requested review from Raynos Raynos is a code owner automatically assigned from SocketDev/eng

@jghebre jghebre Awaiting requested review from jghebre jghebre is a code owner automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dacoburn @dc-larsen