Skip to content

Comments

chore(ci): Pin GitHub Actions to SHA-1s#140

Merged
xhyrom merged 1 commit intooven-sh:mainfrom
dgilmanuni:main
Oct 9, 2025
Merged

chore(ci): Pin GitHub Actions to SHA-1s#140
xhyrom merged 1 commit intooven-sh:mainfrom
dgilmanuni:main

Conversation

@dgilmanuni
Copy link
Contributor

Description

In order to mitigate malicious updates and allow users of this repo to use the "Enforce SHA pinning setting" in their repos.

Changes

  • Pinning GitHub Actions to SHA-1s

@coderabbitai
Copy link

coderabbitai bot commented Sep 30, 2025

Walkthrough

Pinned GitHub Actions to specific commit SHAs in workflows: actions/checkout in format.yml, test.yml, and release.yml; actions/publish-action in release.yml. No other workflow steps or logic were modified. No changes to exported or public entities.

Changes

Cohort / File(s) Summary of Changes
Pin actions/checkout to commit SHA
.github/workflows/format.yml, .github/workflows/test.yml, .github/workflows/release.yml
Replaced uses of actions/checkout@v4 with actions/checkout@08eba0b and added a comment noting v4.
Pin actions/publish-action to commit SHA
.github/workflows/release.yml
Replaced actions/publish-action@v0.3.0 with actions/publish-action@f784495.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Title Check ✅ Passed The title clearly and concisely conveys the primary change of the pull request, specifying that the CI workflows are updated to pin GitHub Actions to SHA-1 commit hashes, which aligns directly with the changes in the diff.
Description Check ✅ Passed The pull request description explains the rationale for pinning third-party Actions to specific SHA-1s to mitigate malicious updates and accurately summarizes the change made in the workflows, matching the modifications present in the diff.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Disabled knowledge base sources:

  • Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 22457c8 and 5193987.

📒 Files selected for processing (3)
  • .github/workflows/format.yml (1 hunks)
  • .github/workflows/release.yml (1 hunks)
  • .github/workflows/test.yml (6 hunks)

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@xhyrom xhyrom merged commit 6356405 into oven-sh:main Oct 9, 2025
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants