Skip to content

fix: [Security] Pin GitHub Actions to a full-length commit SHA#4542

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
pin-github-actions-1773667469
Mar 16, 2026
Merged

fix: [Security] Pin GitHub Actions to a full-length commit SHA#4542
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
pin-github-actions-1773667469

Conversation

@juliendoutre

@juliendoutre juliendoutre commented Mar 16, 2026

Copy link
Copy Markdown
Contributor

Pin GitHub Actions to SHA hashes

This automated PR pins third-party GitHub Actions references from mutable tag versions (e.g., @v4) to their corresponding SHA hashes (e.g., @abc123...). The original tag is preserved as a comment for readability. Your workflows will work exactly the same way. Internal actions (under the DataDog organization) are not pinned.

Read https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions for more details and info on how to configure this for entire repos.

Why pin GitHub Actions?

Git tags are mutable: they can be moved to point to different commits at any time. A compromised or malicious action maintainer could update a tag to inject arbitrary code into your CI workflows (see the tj-actions incident). Pinning to SHA hashes ensures you always run the exact code you reviewed, protecting your repository from supply chain attacks such as the tj-actions incident.

What if something breaks?

If a pinned action doesn't work for your use case, you can push a commit directly to this branch to fix it. As a last resort, reach out to #sdlc-security on Slack.

Set up Dependabot or Renovate for automatic updates

Once actions are pinned to SHA hashes, you should configure Dependabot or Renovate to receive weekly update PRs when new versions are available.

In the case of Dependabot, create or update .github/dependabot.yml:

version: 2
updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      github-actions:
        patterns:
          - "*"
    open-pull-requests-limit: 10

Dependabot will automatically propose PRs that update both the SHA hash and the version comment like in this example.

This PR was automatically generated by the GitHub Actions Pinning tool, owned by #sdlc-security.

@juliendoutre juliendoutre requested a review from a team as a code owner March 16, 2026 13:24
@datadog-prod-us1-3

datadog-prod-us1-3 Bot commented Mar 16, 2026
edited by datadog-datadog-prod-us1 Bot
Loading

Copy link
Copy Markdown

✅ Tests

🎉 All green!

❄️ No new flaky tests detected
🧪 All tests passed

🎯 Code Coverage (details)
Patch Coverage: 100.00%
Overall Coverage: 59.29% (+3.50%)

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 4b317c8 | Docs | Datadog PR Page | Was this helpful? React with 👍/👎 or give us feedback!

@darccio darccio changed the title [Security] Pin GitHub Actions to a full-length commit SHA fix: [Security] Pin GitHub Actions to a full-length commit SHA Mar 16, 2026
@pr-commenter

pr-commenter Bot commented Mar 16, 2026

Copy link
Copy Markdown

Benchmarks

Benchmark execution time: 2026-03-16 13:45:18

Comparing candidate commit 4b317c8 in PR branch pin-github-actions-1773667469 with baseline commit 3319a33 in branch main.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 157 metrics, 7 unstable metrics.

Explanation

This is an A/B test comparing a candidate commit's performance against that of a baseline commit. Performance changes are noted in the tables below as:

  • 🟩 = significantly better candidate vs. baseline
  • 🟥 = significantly worse candidate vs. baseline

We compute a confidence interval (CI) over the relative difference of means between metrics from the candidate and baseline commits, considering the baseline as the reference.

If the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD), the change is considered significant.

Feel free to reach out to #apm-benchmarking-platform on Slack if you have any questions.

More details about the CI and significant changes

You can imagine this CI as a range of values that is likely to contain the true difference of means between the candidate and baseline commits.

CIs of the difference of means are often centered around 0%, because often changes are not that big:

---------------------------------(------|---^--------)-------------------------------->
                              -0.6%    0%  0.3%     +1.2%
                                 |          |        |
         lower bound of the CI --'          |        |
sample mean (center of the CI) -------------'        |
         upper bound of the CI ----------------------'

As described above, a change is considered significant if the CI is entirely outside the configured SIGNIFICANT_IMPACT_THRESHOLD (or the deprecated UNCONFIDENCE_THRESHOLD).

For instance, for an execution time metric, this confidence interval indicates a significantly worse performance:

----------------------------------------|---------|---(---------^---------)---------->
                                       0%        1%  1.3%      2.2%      3.1%
                                                  |   |         |         |
       significant impact threshold --------------'   |         |         |
                      lower bound of CI --------------'         |         |
       sample mean (center of the CI) --------------------------'         |
                      upper bound of CI ----------------------------------'

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 615aedf into main Mar 16, 2026
92 of 93 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the pin-github-actions-1773667469 branch March 16, 2026 15:06
@kakkoyun kakkoyun mentioned this pull request Mar 17, 2026
Merged
9 tasks
gh-worker-dd-mergequeue-cf854d Bot pushed a commit that referenced this pull request Mar 17, 2026
@kakkoyun
ci: automate SHA-pinned GitHub Actions updates via Dependabot (#4552)
e0560ac 
### What does this PR do?

Completes the supply-chain hardening started in #4542 by automating ongoing
maintenance of SHA-pinned GitHub Actions:

1. Switches Dependabot to a **weekly** schedule so SHA pins stay current.
2. Pins the three remaining `@v` tag refs in `test-apps.cue` to full commit SHAs.
3. Adds an **auto-sync workflow** that patches `test-apps.cue` whenever
   Dependabot bumps SHAs in `test-apps.yml`.

### Motivation

After #4542, Dependabot can update YAML workflow files but not the CUE source
template (`test-apps.cue`). Without automation, every Dependabot PR creates
drift: `test-apps.yml` gets updated SHAs while `test-apps.cue` stays stale.
A developer running `make test-apps.yml` would silently revert all pinned SHAs
back to `@v` tags, undoing the security fix.

A naive CI drift check (`cue export && git diff --exit-code`) doesn't work
because `cue export` cannot produce YAML comments — Dependabot adds version
comments (`# vX.Y.Z`) that the CUE exporter can't reproduce, so the diff
would always be non-empty regardless of SHA correctness.

The auto-sync workflow triggers on Dependabot branch pushes, extracts updated
SHAs from `test-apps.yml` via `grep`/`sed`, patches `test-apps.cue`, and
commits back to the branch. Uses `push` trigger (not `pull_request_target`)
for simplicity and full write access without untrusted-code risks. The
`GITHUB_TOKEN` push safety prevents infinite workflow loops.

### Reviewer's Checklist

- [ ] Changed code has unit tests for its functionality at or near 100% coverage.
- [ ] [System-Tests](https://github.com/DataDog/system-tests/) covering this feature have been added and enabled with the va.b.c-dev version tag.
- [ ] There is a benchmark for any new code, or changes to existing code.
- [ ] If this interacts with the agent in a new way, a system test has been added.
- [ ] New code is free of linting errors. You can check this by running `make lint` locally.
- [ ] New code doesn't break existing tests. You can check this by running `make test` locally.
- [ ] Add an appropriate team label so this PR gets put in the right place for the release notes.
- [ ] All generated files are up to date. You can check this by running `make generate` locally.
- [ ] Non-trivial go.mod changes, e.g. adding new modules, are reviewed by @DataDog/dd-trace-go-guild. Make sure all nested modules are up to date by running `make fix-modules` locally.

Unsure? Have a question? Request a review!

Co-authored-by: kemal.akkoyun <kemal.akkoyun@datadoghq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@darccio darccio darccio approved these changes

@kakkoyun kakkoyun kakkoyun approved these changes

Assignees

No one assigned

Labels

mergequeue-status: done

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@juliendoutre @darccio @kakkoyun