Skip to content

ci: pin third-party GitHub Actions to verified release SHAs#1077

Open
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-third-party-actions
Open

ci: pin third-party GitHub Actions to verified release SHAs#1077
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-third-party-actions

Conversation

@Vamshi-Microsoft

Copy link
Copy Markdown
Contributor

Purpose

  • Pin third-party GitHub Actions to specific release commit SHAs (instead of mutable version tags) for reproducible and immutable workflow runs.
  • Replace the tj-actions/changed-files action in the broken-link checker with a built-in git diff step, which removes a third-party dependency from change detection.

Changes:

  • .github/workflows/broken-links-checker.yml — replace tj-actions/changed-files with a built-in git diff step; pin lycheeverse/lychee-action to 8646ba3 (v2.8.0).
  • .github/workflows/pr-title-checker.yml — pin amannn/action-semantic-pull-request to 48f2562 (v6.1.1).
  • .github/workflows/test.yml — pin MishaKav/pytest-coverage-comment to e48ae95 (v1.8.0).

Does this introduce a breaking change?

  • Yes
  • No

How to Test

  • Get the code
git clone [repo-address]
cd [repo-name]
git checkout ci/pin-third-party-actions
  • Test the code
# Open a PR that modifies a markdown file; the broken-links-checker workflow
# detects the changed .md files via git diff and runs lychee on them.

What to Check

Verify that the following are valid

  • The broken-links-checker workflow detects changed markdown files and runs lychee successfully.
  • The pinned SHAs resolve to the indicated release tags.

Other Information

@github-actions

Copy link
Copy Markdown

Coverage

Coverage Report •
FileStmtsMissCoverMissing
TOTAL305538187% 
report-only-changed-files is enabled. No files were changed during this commit :)

Tests Skipped Failures Errors Time
886 5 💤 0 ❌ 0 🔥 4.828s ⏱️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI workflow reproducibility by pinning third-party GitHub Actions to immutable commit SHAs, and removes a third-party dependency from the broken-link checker by switching changed-file detection to git diff.

Changes:

  • Pin lycheeverse/lychee-action, amannn/action-semantic-pull-request, and MishaKav/pytest-coverage-comment to specific commit SHAs.
  • Replace tj-actions/changed-files in the broken-link checker with a git diff-based step to detect changed Markdown files.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/broken-links-checker.yml Replaces changed-file detection with git diff and pins lychee-action to a SHA.
.github/workflows/pr-title-checker.yml Pins action-semantic-pull-request to a SHA for immutable runs.
.github/workflows/test.yml Pins pytest-coverage-comment to a SHA for immutable runs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/broken-links-checker.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants