ci: pin GitHub Actions to commit SHAs for supply chain security #56
Conversation
Pin all GitHub Actions dependencies to specific commit SHAs instead of version tags to prevent supply chain attacks. This follows OpenSSF Scorecard best practices for dependency pinning. Pinned actions: - actions/checkout@v5 - actions/create-github-app-token@v2 - actions/setup-python@v6 - actions/upload-artifact@v4 - amannn/action-semantic-pull-request@v6 - astral-sh/setup-uv@v7 - codecov/codecov-action@v5 - github/codeql-action/*@V3 - github/codeql-action/*@v4 - ossf/scorecard-action@v2.4.3 - pypa/gh-action-pypi-publish@release/v1 All SHAs include comments showing the original version tag for maintainability. Expected impact: Pinned-Dependencies score 0 → 10 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
|
Warning Rate limit exceeded@dreamiurg has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 22 minutes and 15 seconds before requesting another review. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. 📒 Files selected for processing (4)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #56 +/- ##
=======================================
Coverage 91.21% 91.21%
=======================================
Files 8 8
Lines 1081 1081
=======================================
Hits 986 986
Misses 95 95 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Problem
OpenSSF Scorecard gives 0/10 for Pinned-Dependencies because GitHub Actions are referenced by mutable version tags (e.g.,
@v5) instead of immutable commit SHAs.Solution
Pin all GitHub Actions to specific commit SHAs to prevent supply chain attacks. Each pinned SHA includes a comment with the original version tag for maintainability.
Pinned Actions
actions/checkout@v5→@08c6903...actions/create-github-app-token@v2→@6701853...actions/setup-python@v6→@e797f83...actions/upload-artifact@v4→@ea165f8...amannn/action-semantic-pull-request@v6→@48f2562...astral-sh/setup-uv@v7→@8585678...codecov/codecov-action@v5→@5a10915...github/codeql-action/*@v3→@5d5cd55...github/codeql-action/*@v4→@0499de3...ossf/scorecard-action@v2.4.3→@4eaacf0...pypa/gh-action-pypi-publish@release/v1→@ed0c539...Expected Impact
Pinned-Dependencies score: 0 → 10
This will improve the overall OpenSSF Scorecard from 6.5/10 to 7.5/10.
Testing
All workflow files validated by yamllint. CI tests will verify workflows still function correctly with pinned SHAs.
Maintenance
When updating action versions:
uses: actions/checkout@<new-sha> # v6Dependabot will notify when actions have new releases, but won't auto-update pinned SHAs.
🤖 Generated with Claude Code