Skip to content

Update and pin github actions to full SHAs for supply chain security#3185

Merged
zuiderkwast merged 3 commits into
valkey-io:unstablefrom
rainsupreme:action-shas
Feb 12, 2026
Merged

Update and pin github actions to full SHAs for supply chain security#3185
zuiderkwast merged 3 commits into
valkey-io:unstablefrom
rainsupreme:action-shas

Conversation

@rainsupreme

@rainsupreme rainsupreme commented Feb 10, 2026

Copy link
Copy Markdown
Contributor

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is compromised and the "v4" tag for example gets edited to point to a malicious version. We already do this for most checkout actions in our workflows. (most, currently. I'm fixing that in my libbacktrace PR #3034 )

Signed-off-by: Rain Valentine <rsg000@gmail.com>
@zuiderkwast

Copy link
Copy Markdown
Contributor

While we're doing this, shall we also lift to the latest version in all jobs? 6.0.2

@codecov

codecov Bot commented Feb 10, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (87caeb7) to head (ef36108).
⚠️ Report is 8 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable   #3185       +/-   ##
============================================
- Coverage     74.90%       0   -74.91%     
============================================
  Files           129       0      -129     
  Lines         71327       0    -71327     
============================================
- Hits          53429       0    -53429     
+ Misses        17898       0    -17898     

see 129 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Signed-off-by: Rain Valentine <rsg000@gmail.com>

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did the update of taiki-e/install-action make our spellcheck fail?

@rainsupreme

rainsupreme commented Feb 11, 2026

Copy link
Copy Markdown
Contributor Author

I think the updated spellchecker is just more picky. I guess I'll fix things up 😓

@rainsupreme rainsupreme force-pushed the action-shas branch 2 times, most recently from b220d3b to fd9784a Compare February 11, 2026 22:51
Signed-off-by: Rain Valentine <rsg000@gmail.com>
@zuiderkwast

Copy link
Copy Markdown
Contributor

I think the updated spellchecker is just more picky. I guess I'll fix things up 😓

Sounds good. Otherwise, perhaps we can stay on the older minor version, just update to the latest patch version.

@rainsupreme

Copy link
Copy Markdown
Contributor Author

The test failure looks unrelated to my changes, right? Could we rerun it or ignore it maybe?

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

misc spelling fixes - this is what I get for updating the spellchecker

Thank you! It's much appreciated.

The test failure looks unrelated to my changes, right?

Agree, it's unrelated.

@zuiderkwast zuiderkwast changed the title pin github actions to full SHAs for supply chain security Update and github actions to full SHAs for supply chain security Feb 12, 2026
@zuiderkwast zuiderkwast changed the title Update and github actions to full SHAs for supply chain security Update and pin github actions to full SHAs for supply chain security Feb 12, 2026
@zuiderkwast zuiderkwast merged commit 9cbe104 into valkey-io:unstable Feb 12, 2026
34 of 35 checks passed
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 8.1 Feb 12, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 9.0 Feb 12, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 8.0 Feb 12, 2026
@github-project-automation github-project-automation Bot moved this to To be backported in Valkey 7.2 Feb 12, 2026
@zuiderkwast

Copy link
Copy Markdown
Contributor

When we backport this, we can skip lifting the spell checker to the latest version, if fixing the spelling causes merge conflicts.

@rainsupreme rainsupreme deleted the action-shas branch February 12, 2026 22:13
@roshkhatri roshkhatri moved this from To be backported to 8.1.6 WIP in Valkey 8.1 Feb 17, 2026
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 17, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 17, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
@roshkhatri roshkhatri moved this from To be backported to 9.0.3 in Valkey 9.0 Feb 17, 2026
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 17, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
@roshkhatri roshkhatri moved this from To be backported to 8.0.7 (WIP) in Valkey 8.0 Feb 18, 2026
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 18, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 18, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
roshkhatri added a commit to roshkhatri/valkey that referenced this pull request Feb 18, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version.

Also fixes typos in source code and test files.

(cherry picked from commit 9cbe104)
Adapted for 7.2: skipped files not present in this branch.

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
@roshkhatri roshkhatri moved this from To be backported to 7.2.12 in Valkey 7.2 Feb 18, 2026
roshkhatri added a commit to roshkhatri/valkey that referenced this pull request Feb 19, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version.

Also fixes typos in source code and test files.

(cherry picked from commit 9cbe104)
Adapted for 7.2: skipped files not present in this branch.

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
harrylin98 pushed a commit to harrylin98/valkey_forked that referenced this pull request Feb 19, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 20, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 20, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
roshkhatri pushed a commit to roshkhatri/valkey that referenced this pull request Feb 20, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
roshkhatri added a commit to roshkhatri/valkey that referenced this pull request Feb 23, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version.

Also fixes typos in source code and test files.

(cherry picked from commit 9cbe104)
Adapted for 7.2: skipped files not present in this branch.

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
hpatro pushed a commit that referenced this pull request Feb 24, 2026
…3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version.

Also fixes typos in source code and test files.

(cherry picked from commit 9cbe104)
Adapted for 7.2: skipped files not present in this branch.

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
madolson pushed a commit that referenced this pull request Feb 24, 2026
…3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
madolson pushed a commit that referenced this pull request Feb 24, 2026
…3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
madolson pushed a commit that referenced this pull request Feb 24, 2026
…3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
madolson pushed a commit that referenced this pull request Feb 24, 2026
…3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Roshan Khatri <rvkhatri@amazon.com>
zuiderkwast pushed a commit that referenced this pull request Mar 5, 2026
This PR fixes a Codecov workflow misconfiguration introduced when
upgrading codecov/codecov-action from v4 to v5 (in #3185).
In v5, the action expects files (plural), but the workflow still used
file.

The coverage shown is 0 right now:
https://app.codecov.io/gh/valkey-io/valkey


Documentation from -
https://github.com/codecov/codecov-action/tree/v5?tab=readme-ov-file#arguments

```
The following arguments have been changed

    file (this has been deprecated in favor of files)
    plugin (this has been deprecated in favor of plugins)

```

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
eifrah-aws pushed a commit to eifrah-aws/valkey that referenced this pull request Mar 5, 2026
This PR fixes a Codecov workflow misconfiguration introduced when
upgrading codecov/codecov-action from v4 to v5 (in valkey-io#3185).
In v5, the action expects files (plural), but the workflow still used
file.

The coverage shown is 0 right now:
https://app.codecov.io/gh/valkey-io/valkey


Documentation from -
https://github.com/codecov/codecov-action/tree/v5?tab=readme-ov-file#arguments

```
The following arguments have been changed

    file (this has been deprecated in favor of files)
    plugin (this has been deprecated in favor of plugins)

```

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
hpatro pushed a commit to hpatro/valkey that referenced this pull request Mar 5, 2026
…alkey-io#3185)

Updates to latest versions for each of the github actions used.

Pinning prevents an attack where the upstream action dependency is
compromised and the "v4" tag for example gets edited to point to a
malicious version. We already do this for most checkout actions in our
workflows.

---------

Signed-off-by: Rain Valentine <rsg000@gmail.com>
Signed-off-by: Harkrishn Patro <bunty.hari@gmail.com>
hpatro pushed a commit to hpatro/valkey that referenced this pull request Mar 5, 2026
This PR fixes a Codecov workflow misconfiguration introduced when
upgrading codecov/codecov-action from v4 to v5 (in valkey-io#3185).
In v5, the action expects files (plural), but the workflow still used
file.

The coverage shown is 0 right now:
https://app.codecov.io/gh/valkey-io/valkey

Documentation from -
https://github.com/codecov/codecov-action/tree/v5?tab=readme-ov-file#arguments

```
The following arguments have been changed

    file (this has been deprecated in favor of files)
    plugin (this has been deprecated in favor of plugins)

```

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
Signed-off-by: Harkrishn Patro <bunty.hari@gmail.com>
akashkgit pushed a commit to akashkgit/valkey that referenced this pull request Mar 6, 2026
This PR fixes a Codecov workflow misconfiguration introduced when
upgrading codecov/codecov-action from v4 to v5 (in valkey-io#3185).
In v5, the action expects files (plural), but the workflow still used
file.

The coverage shown is 0 right now:
https://app.codecov.io/gh/valkey-io/valkey


Documentation from -
https://github.com/codecov/codecov-action/tree/v5?tab=readme-ov-file#arguments

```
The following arguments have been changed

    file (this has been deprecated in favor of files)
    plugin (this has been deprecated in favor of plugins)

```

Signed-off-by: Sarthak Aggarwal <sarthagg@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: 7.2.12 WIP
Status: 8.0.7 (WIP)
Status: 8.1.6
Status: 9.0.3

Development

Successfully merging this pull request may close these issues.

4 participants