Skip to content

ci: pin docker actions to commit SHA#2328

Open
mesutoezdil wants to merge 2 commits into
NVIDIA:mainfrom
mesutoezdil:ci/pin-docker-actions
Open

ci: pin docker actions to commit SHA#2328
mesutoezdil wants to merge 2 commits into
NVIDIA:mainfrom
mesutoezdil:ci/pin-docker-actions

Conversation

@mesutoezdil

@mesutoezdil mesutoezdil commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

docker/login-action and docker/setup-buildx-action were on a mutable version tag (@V3) while every other third-party action in the repo is pinned to a commit SHA. This pins both.

login-action is aligned to the same v4 SHA already pinned in ci-image.yml, so the repo uses one version consistently instead of v3 in one place and v4 in another.

@copy-pr-bot

copy-pr-bot Bot commented Jul 16, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

Comment thread .github/actions/setup-buildx/action.yml Outdated
login-action and setup-buildx-action used a mutable version tag while
every other action in the repo is pinned to a commit SHA. Pin both,
and align login-action to the same v4 SHA already used in ci-image.yml.

Use the full resolved version in the trailing comment (v3.12.0) to
match the more common convention used elsewhere in .github/.
@mesutoezdil
mesutoezdil force-pushed the ci/pin-docker-actions branch from 81a48db to 895b986 Compare July 17, 2026 13:02
@benoitf

benoitf commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

hello, is it possible to enforce that on the GitHub configuration of this repository so only pinned actions can be run [1] [2] ?


[1] https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions
[2] https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

@mesutoezdil

Copy link
Copy Markdown
Contributor Author

hello, is it possible to enforce that on the GitHub configuration of this repository so only pinned actions can be run [1] [2] ?

[1] https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions [2] https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

makes sense from my side

@johntmyers

Copy link
Copy Markdown
Collaborator

/ok to test 1b60a24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants