Skip to content

chore: pin external github ations to commit SHA #9417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
notjaywu wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore: pin external github ations to commit SHA #9417

notjaywu wants to merge 1 commit into from
+1 −1

Conversation

@notjaywu
Copy link
Contributor

@notjaywu notjaywu commented Nov 25, 2025

No description provided.

@notjaywu notjaywu enabled auto-merge (squash) November 25, 2025 04:09
@notjaywu notjaywu disabled auto-merge November 25, 2025 04:09
@notjaywu notjaywu enabled auto-merge (squash) November 25, 2025 04:09
Copilot AI reviewed Nov 25, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances the security posture of the GitHub workflows by pinning the ncipollo/release-action external action to a specific commit SHA. This follows the established security best practice in the repository where external GitHub actions (those not from the official actions/ namespace) are pinned to immutable commit hashes to prevent supply chain attacks through compromised action versions.

Key Changes

  • Pinned ncipollo/release-action from version tag v1 to commit SHA 440c8c1cb0ed28b9f43e4d1d670870f059653174

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

.github/workflows/release-publish.yml

- name: Create Tag and Release
uses: ncipollo/release-action@v1
uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
Copy link

Copilot AI Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove trailing space after the version comment. The comment should be # v1 not # v1 to maintain consistency with other pinned actions in this file.

Suggested change
uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1
uses: ncipollo/release-action@440c8c1cb0ed28b9f43e4d1d670870f059653174 # v1

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@balugeorge balugeorge Awaiting requested review from balugeorge

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@notjaywu