Skip to content

chore: pin GitHub Actions to SHA (PDE-218) #1849

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
corneliusludmann wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

chore: pin GitHub Actions to SHA (PDE-218) #1849

corneliusludmann wants to merge 1 commit into from

Conversation

@corneliusludmann
Copy link
Contributor

@corneliusludmann corneliusludmann commented Dec 10, 2025

Pin all external GitHub Actions to specific commit SHAs for supply chain security.

Changes

  • actions/cache@v4 → pinned to SHA
  • actions/checkout@v5 → pinned to SHA
  • actions-ecosystem/action-add-labels@v1 → pinned to SHA
  • actions/setup-node@v5 → pinned to SHA
  • cschleiden/actions-linter@v1 → pinned to SHA
  • google-github-actions/[email protected] → pinned to SHA
  • google-github-actions/[email protected] → pinned to SHA
  • slackapi/[email protected] → pinned to SHA

Exceptions

Internal Gitpod workflows (not pinned to SHA):

  • gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
  • gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main

Related

@corneliusludmann @ona-agent
chore: pin GitHub Actions to SHA for supply chain security
694f9ff 
Pin all external GitHub Actions to specific commit SHAs to prevent
supply chain attacks via malicious tag updates.

Actions pinned:
- actions/cache@v4
- actions/checkout@v5
- actions-ecosystem/action-add-labels@v1
- actions/setup-node@v5
- cschleiden/actions-linter@v1
- google-github-actions/[email protected]
- google-github-actions/[email protected]
- slackapi/[email protected]

Exceptions (internal Gitpod workflows, not pinned):
- gitpod-io/gce-github-runner/.github/workflows/create-vm.yml@main
- gitpod-io/gce-github-runner/.github/workflows/delete-vm.yml@main

Part of PDE-138
Closes PDE-218

Co-authored-by: Ona <[email protected]>
@corneliusludmann corneliusludmann marked this pull request as ready for review December 10, 2025 11:26
@corneliusludmann corneliusludmann requested a review from a team as a code owner December 10, 2025 11:26
@corneliusludmann
Copy link
Contributor Author

corneliusludmann commented Dec 10, 2025

Builds are failing.

@kylos101: Is this expected since we still miss secrets?

@geropl
Copy link
Member

geropl commented Dec 10, 2025

@corneliusludmann We need to get rid of gce-github-runner before: https://linear.app/ona-team/issue/PDE-208/get-rid-of-gce-github-runner

This is an example change for gitpod-io/gitpod that does the same: gitpod-io/gitpod#21169

Afterwards we should not need the google-auth anymore. If we still do, then it's for pushing images, and can use a more scoped-down service-account. 👍

@corneliusludmann corneliusludmann marked this pull request as draft December 10, 2025 12:14
@corneliusludmann corneliusludmann mentioned this pull request Dec 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@corneliusludmann @geropl