Skip to content

Pin two imported actions to a set sha#90

Merged
sgoedecke merged 1 commit intoactions:mainfrom
garman:pin-to-sha
Aug 13, 2025
Merged

Pin two imported actions to a set sha#90
sgoedecke merged 1 commit intoactions:mainfrom
garman:pin-to-sha

Conversation

@garman
Copy link
Contributor

@garman garman commented Aug 12, 2025

Pinning to a version instead of a SHA can lead to supply chain attacks. This aims to link to the current release sha for both updates.

Copilot AI review requested due to automatic review settings August 12, 2025 19:06
@garman garman requested a review from a team as a code owner August 12, 2025 19:06
Copilot AI reviewed Aug 12, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This pull request enhances security by pinning GitHub Actions to specific commit SHAs instead of using version tags, which helps prevent supply chain attacks.

  • Pin ruby/setup-ruby action from version tag v1 to SHA 829114fc20da43a41d27359103ec7a63020954d4
  • Pin licensee/setup-licensed action from version tag v1.3.2 to SHA 0d52e575b3258417672be0dff2f115d7db8771d8

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@sgoedecke sgoedecke merged commit c72cb2e into actions:main Aug 13, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sgoedecke sgoedecke sgoedecke approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@garman @sgoedecke