Skip to content

fix(templates): pin release-generic.yml actions to commit SHAs#46

Merged
CybotTM merged 1 commit into
mainfrom
fix/pin-template-actions
Jul 2, 2026
Merged

fix(templates): pin release-generic.yml actions to commit SHAs#46
CybotTM merged 1 commit into
mainfrom
fix/pin-template-actions

Conversation

@CybotTM

@CybotTM CybotTM commented Jul 2, 2026

Copy link
Copy Markdown
Member

Pins the six mutable @vN action refs in skills/github-release/templates/release-generic.yml to commit SHAs (with version comments), clearing the yaml.github-actions.security.github-actions-mutable-action-tag Opengrep findings that showed on #45.

Refs pinned to current majors: checkout v7.0.0, sbom-action v0.24.0, cosign-installer v4.1.2, attest-build-provenance v4.1.1, action-gh-release v3.0.1. Inputs used by the template are unchanged across these majors.

Opengrep's github-actions-mutable-action-tag rule flags the six `@vN`
action refs in the shipped release template. Pin each to its release
commit SHA with a version comment; refs bumped to current majors
(checkout v7, cosign-installer v4, attest-build-provenance v4,
action-gh-release v3, sbom-action v0.24).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
Copilot AI review requested due to automatic review settings July 2, 2026 00:48
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@github-actions github-actions Bot added the skill label Jul 2, 2026
@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the GitHub Actions workflow in skills/github-release/templates/release-generic.yml to pin action versions to specific commit SHAs instead of mutable tags (such as actions/checkout, anchore/sbom-action, sigstore/cosign-installer, actions/attest-build-provenance, and softprops/action-gh-release). This is a security hardening practice to prevent untrusted code execution from tag modifications. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins third-party GitHub Actions used by the skills/github-release “release-generic” workflow template to immutable commit SHAs (with version comments), addressing the mutable-tag security findings referenced in #45 while keeping the workflow’s inputs/configuration the same.

Changes:

  • Replaced mutable @vN action references with full commit SHAs for actions/checkout, anchore/sbom-action, sigstore/cosign-installer, actions/attest-build-provenance, and softprops/action-gh-release.
  • Added inline version comments (e.g., # vX.Y.Z) to preserve human-readable version context.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CybotTM CybotTM merged commit 521790c into main Jul 2, 2026
22 checks passed
@CybotTM CybotTM deleted the fix/pin-template-actions branch July 2, 2026 00:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants