Problem
Repositories with security rulesets requiring "all actions must be pinned to full-length commit SHA" cannot use Factory-AI/droid-action because it internally references actions using version tags instead of commit SHAs.
Error
When running the droid-action in a repository with SHA-pinning requirements:
The action actions/upload-artifact@v4 is not allowed in <repo>
because all actions must be pinned to a full-length commit SHA.
Root Cause
In action.yml, the action uses:
- uses: actions/upload-artifact@v4
GitHub's repository rulesets apply SHA-pinning requirements recursively to all nested action dependencies, including those referenced by composite actions.
Requested Change
Update internal action references to use full-length commit SHAs:
# Before
- uses: actions/upload-artifact@v4
# After
- uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
Why This Matters
- SLSA Level 2+ compliance requires immutable action references
- Supply chain security prevents tag manipulation attacks
- Enterprise adoption often mandates SHA-pinning for all third-party actions
- GitHub's security hardening guide recommends this practice: Security hardening for GitHub Actions
Affected Versions
| Version |
SHA |
Status |
| v1 tag |
65dab2847e1b4a8a24332cfdef116e4ac3777789 |
Contains non-pinned references |
| Latest |
e3f8be9f34bb41b11e852e836cb64e81f13fba59 |
Contains non-pinned references |
Additional Context
This is a blocking issue for security-conscious organizations. We would like to use droid-action for automated PR reviews but cannot until internal dependencies are SHA-pinned.
Thank you for considering this enhancement!
Problem
Repositories with security rulesets requiring "all actions must be pinned to full-length commit SHA" cannot use
Factory-AI/droid-actionbecause it internally references actions using version tags instead of commit SHAs.Error
When running the droid-action in a repository with SHA-pinning requirements:
Root Cause
In
action.yml, the action uses:GitHub's repository rulesets apply SHA-pinning requirements recursively to all nested action dependencies, including those referenced by composite actions.
Requested Change
Update internal action references to use full-length commit SHAs:
Why This Matters
Affected Versions
65dab2847e1b4a8a24332cfdef116e4ac3777789e3f8be9f34bb41b11e852e836cb64e81f13fba59Additional Context
This is a blocking issue for security-conscious organizations. We would like to use droid-action for automated PR reviews but cannot until internal dependencies are SHA-pinned.
Thank you for considering this enhancement!