Skip to content

Pin GitHub Actions to immutable commit SHAs#123

Open
Copilot wants to merge 1 commit into
mainfrom
copilot/migrate-github-actions-to-pinned-versions-again
Open

Pin GitHub Actions to immutable commit SHAs#123
Copilot wants to merge 1 commit into
mainfrom
copilot/migrate-github-actions-to-pinned-versions-again

Conversation

Copilot AI commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

This PR migrates workflow action references from mutable tags to immutable commit SHAs to harden CI supply-chain integrity. Version tags are retained as inline comments for readability and upgrade tracking.

  • Workflow hardening

    • Updated .github/workflows/test.yaml to pin every uses: reference to a specific commit.
    • Replaced tag-based refs for:
      • actions/checkout@v6
      • actions/setup-go@v6
      • golangci/golangci-lint-action@v9
      • shogo82148/actions-goveralls@v1

  • Traceability

    • Added inline comments (# v6, # v9, etc.) next to each pinned SHA to preserve semantic version context while enforcing immutability.
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
- uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9
- uses: shogo82148/actions-goveralls@9606dbc5ac5cf888a0e9ef901515c3cd516a2790 # v1

Copilot AI changed the title Pin GitHub Actions to commit SHAs Pin GitHub Actions to immutable commit SHAs Jun 23, 2026
Copilot AI requested a review from snorwin June 23, 2026 10:10
@snorwin snorwin marked this pull request as ready for review June 23, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@snorwin snorwin Awaiting requested review from snorwin

Assignees

@snorwin snorwin

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@snorwin