Skip to content

chore(ci): pin GitHub Actions to commit SHAs#463

Merged
akantcheff merged 1 commit intodevelopfrom
chore/pin-gha-sha
Apr 29, 2026
Merged

chore(ci): pin GitHub Actions to commit SHAs#463
akantcheff merged 1 commit intodevelopfrom
chore/pin-gha-sha

Conversation

@akantcheff
Copy link
Copy Markdown
Contributor

@akantcheff akantcheff commented Apr 29, 2026
edited
Loading

Summary

  • Pin all third-party GitHub Actions to full 40-character commit SHAs to mitigate the supply-chain risk of mutable tag refs.
  • Append inline # vX.Y.Z comments next to each pin so reviewers can see the resolved version at a glance.
  • Internal bonitasoft/* actions and the local _reusable_build.yml reusable workflow call are intentionally left untouched.
Action Old New SHA Version
actions/checkout @v5 93cb6efe18208431cddfb8368fd83d5badbf9bfd v5.0.1
actions/setup-java @v5 be666c2fcd27ec809703dec50e508c2fdc7f6654 v5.2.0
github/codeql-action/{init,autobuild,analyze} @v3 ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a v3.35.2
gsactions/commit-message-checker @v2 16fa2d5de096ae0d35626443bcd24f1e756cafee v2.0.0
peter-evans/create-pull-request @v7 22a9089034f40e5a961c8808d113e2c98fb63676 v7.0.11
docker/login-action @v3 c94ce9fb468520275223c153574b00df6fe4bcc9 v3.7.0

Test plan

  • CI build green on this PR (exercises _reusable_build.yml, check-commit-message.yml, codeql-analysis.yml)
  • Confirm CodeQL workflow still runs on the PR
  • Spot-check that publish.yml, release.yml, and workflow-update-spec.yml still parse (no syntax errors flagged by GitHub)

🤖 Generated with Claude Code

@akantcheff @claude
chore(ci): pin GitHub Actions to commit SHAs
0f97d5b 
Pin all third-party GitHub Actions references to full commit SHAs to
mitigate the supply-chain risk of mutable tags. Each pin includes an
inline comment with the resolved version tag for readability and future
updates. Internal bonitasoft/* actions and the local reusable workflow
call are intentionally left as version refs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@akantcheff akantcheff merged commit e850e6e into develop Apr 29, 2026
12 checks passed
@akantcheff akantcheff deleted the chore/pin-gha-sha branch April 29, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@akantcheff