ci: pin third-party GitHub Actions to verified release SHAs#1076
ci: pin third-party GitHub Actions to verified release SHAs#1076Vamshi-Microsoft wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens CI workflows by making third-party GitHub Action references immutable (pinned to specific commit SHAs) and removes a third-party dependency for detecting changed Markdown files in the broken-links workflow.
Changes:
- Replaced
tj-actions/changed-fileswith agit diff-based step that preservesany_changed/all_changed_filesoutputs for downstream lychee usage. - Pinned
lycheeverse/lychee-action,amannn/action-semantic-pull-request, andMishaKav/pytest-coverage-commentto specific release commit SHAs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/broken-links-checker.yml | Replaces third-party changed-files action with git diff output wiring and pins lychee action to a SHA. |
| .github/workflows/pr-title-checker.yml | Pins the semantic PR title checker action to a specific release SHA. |
| .github/workflows/test.yml | Pins the pytest coverage comment action to a specific release SHA. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6224b92 to
b64579a
Compare
|
Addressed the Copilot review comment: removed the leftover "with:/files:" block that remained after converting the tj-actions/changed-files step to a built-in git diff run: step. "with:" is only valid for "uses:" action steps, so leaving it would have made the workflow YAML invalid. The file now passes YAML validation. |
Purpose
tj-actions/changed-filesaction inbroken-links-checker.ymlwith a built-ingit diffstep that detects changed Markdown files between the PR base and head SHAs, preserving theany_changed/all_changed_filesoutputs consumed by the lychee step. This removes a third-party dependency from change detection.Does this introduce a breaking change?
How to Test
What to Check
Verify that the following are valid
Changed files:
.github/workflows/broken-links-checker.yml.github/workflows/pr-title-checker.yml.github/workflows/test.ymlOther Information