Skip to content

Pin GitHub Actions to full SHA hashes#8

Merged
brunoborges merged 2 commits into
mainfrom
copilot/fix-9919-1164872619-4ff0e904-c3f0-4acc-8e85-583f4fd8df89
Jun 16, 2026
Merged

Pin GitHub Actions to full SHA hashes#8
brunoborges merged 2 commits into
mainfrom
copilot/fix-9919-1164872619-4ff0e904-c3f0-4acc-8e85-583f4fd8df89

Conversation

Copilot AI commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Mutable tags like v6 or v5 can be silently redirected, making workflows vulnerable to supply chain attacks. Pinning to full commit SHAs eliminates that risk.

Changes

  • .github/workflows/build.yml — replaced tag references with full SHA pins and inline version comments:

    uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0

  • .github/dependabot.yml — enabled github-actions ecosystem so Dependabot automatically opens PRs to keep the SHA pins current as new action versions are released.

GitHub Advanced Security started work on behalf of brunoborges June 16, 2026 13:44 View session
GitHub Advanced Security finished work on behalf of brunoborges June 16, 2026 13:45
Copilot AI changed the title [WIP] Copilot Request Pin GitHub Actions to full SHA hashes Jun 16, 2026
GitHub Advanced Security started work on behalf of brunoborges June 16, 2026 13:47 View session
Copilot AI requested a review from brunoborges June 16, 2026 13:47
GitHub Advanced Security finished work on behalf of brunoborges June 16, 2026 13:48
@brunoborges brunoborges marked this pull request as ready for review June 16, 2026 14:16
Copilot AI review requested due to automatic review settings June 16, 2026 14:16
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions configuration against supply-chain risk by replacing mutable action tags with full commit SHA pins, while enabling Dependabot to keep those pins up to date.

Changes:

  • Pinned actions/checkout and actions/setup-java to full 40-character commit SHAs (with inline version comments for traceability/Dependabot).
  • Enabled Dependabot updates for the github-actions ecosystem to automate future action pin updates.
Show a summary per file
File Description
.github/workflows/build.yml Replaces mutable action tags with full SHA pins and inline version comments.
.github/dependabot.yml Adds github-actions Dependabot updates so pinned action SHAs can be refreshed automatically.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@brunoborges brunoborges merged commit bcaf7c6 into main Jun 16, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@brunoborges brunoborges brunoborges approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@brunoborges brunoborges

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@brunoborges