Skip to content

ci: pin third-party GitHub Actions to verified release SHAs#1076

Closed
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-actions-and-git-diff
Closed

ci: pin third-party GitHub Actions to verified release SHAs#1076
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-actions-and-git-diff

Conversation

@Vamshi-Microsoft

Copy link
Copy Markdown
Contributor

Purpose

  • Replace the tj-actions/changed-files action in broken-links-checker.yml with a built-in git diff step that detects changed Markdown files between the PR base and head SHAs, preserving the any_changed / all_changed_files outputs consumed by the lychee step. This removes a third-party dependency from change detection.
  • Pin third-party GitHub Actions to specific release commit SHAs (instead of mutable version tags) for reproducible and immutable workflow runs.

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout [branch-name]
npm install
  • Test the code

What to Check

Verify that the following are valid
Changed files:

  • .github/workflows/broken-links-checker.yml
  • .github/workflows/pr-title-checker.yml
  • .github/workflows/test.yml

Other Information

@github-actions

Copy link
Copy Markdown

Coverage

Coverage Report •
FileStmtsMissCoverMissing
TOTAL305538187% 
report-only-changed-files is enabled. No files were changed during this commit :)

Tests Skipped Failures Errors Time
886 5 💤 0 ❌ 0 🔥 8.339s ⏱️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI workflows by making third-party GitHub Action references immutable (pinned to specific commit SHAs) and removes a third-party dependency for detecting changed Markdown files in the broken-links workflow.

Changes:

  • Replaced tj-actions/changed-files with a git diff-based step that preserves any_changed / all_changed_files outputs for downstream lychee usage.
  • Pinned lycheeverse/lychee-action, amannn/action-semantic-pull-request, and MishaKav/pytest-coverage-comment to specific release commit SHAs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/broken-links-checker.yml Replaces third-party changed-files action with git diff output wiring and pins lychee action to a SHA.
.github/workflows/pr-title-checker.yml Pins the semantic PR title checker action to a specific release SHA.
.github/workflows/test.yml Pins the pytest coverage comment action to a specific release SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/broken-links-checker.yml Outdated
@Vamshi-Microsoft Vamshi-Microsoft force-pushed the ci/pin-actions-and-git-diff branch from 6224b92 to b64579a Compare June 30, 2026 08:09
@Vamshi-Microsoft

Copy link
Copy Markdown
Contributor Author

Addressed the Copilot review comment: removed the leftover "with:/files:" block that remained after converting the tj-actions/changed-files step to a built-in git diff run: step. "with:" is only valid for "uses:" action steps, so leaving it would have made the workflow YAML invalid. The file now passes YAML validation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants