Skip to content

GitHub Actions: require actions to be pinned to full-length commit SHA#1372

Merged
mgovers merged 1 commit intomainfrom
pgm/feature/github-actions-commit-sha
Apr 16, 2026
Merged

GitHub Actions: require actions to be pinned to full-length commit SHA#1372
mgovers merged 1 commit intomainfrom
pgm/feature/github-actions-commit-sha

Conversation

@mgovers
Copy link
Copy Markdown
Member

@mgovers mgovers commented Apr 16, 2026
edited
Loading

This is part of our goal to follow security best practices. See also https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#using-third-party-actions

Cfr. https://docs.github.com/en/enterprise-cloud@latest/admin/enforcing-policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#controlling-access-to-public-actions-and-reusable-workflows :

Require actions to be pinned to a full-length commit SHA: All actions must be pinned to a full-length commit SHA to be used. This includes actions from your enterprise and actions authored by GitHub. Reusable workflows can still be referenced by tag. For more information, see Secure use reference.

So we have to pin also the GitHub-owned (actions/checkout, ...) and PowerGridModel-owned action (pgm-version-bump) before we can enable enforcing.

In addition, uv has migrated to no longer use rolling release tags (e.g. v7, v8, v8.0, ...) and instead requires us to use either the full tag (e.g. v8.0.0) or the full-length commit SHA (e.g. cec208311dfd045dd5311c1add060b2062131d57, optionally followed by a commented-out version of the tag, e.g. cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0). Further reading in https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0 . This also means that we missed the latest version bump of uv. This feels like a good moment to jump, but let's let dependabot handle that, so we can 1. separate concerns, and 2. test whether the dependabot pipeline still works

Relates to:

@mgovers mgovers self-assigned this Apr 16, 2026
@mgovers mgovers added the github_actions Pull requests that update GitHub Actions code label Apr 16, 2026
@mgovers mgovers changed the title GitHub Actions: require actions to be pinned to full length commit SHA GitHub Actions: require actions to be pinned to full-length commit SHA Apr 16, 2026
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub Actions used in workflows to full-length commit SHAs to comply with enterprise security enforcement requirements.

Changes:

  • Replaced tag-based uses: owner/repo@vX references with full commit SHAs across multiple workflows.
  • Added inline version annotations next to pinned SHAs for readability/traceability.
  • Minor YAML formatting adjustments in workflow definitions.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
.github/workflows/sonar.yml Pins checkout, uv setup, and SonarSource actions to full commit SHAs.
.github/workflows/reuse-compliance.yml Pins checkout and REUSE compliance action to full commit SHAs.
.github/workflows/refresh-lock-and-linter-dependencies.yml Pins checkout, uv setup, templating, token, and PR creation actions to full commit SHAs.
.github/workflows/clang-tidy.yml Pins checkout and uv setup actions to full commit SHAs.
.github/workflows/citations.yml Pins checkout and cff-validator actions to full commit SHAs.
.github/workflows/ci.yml Pins release downloader and PyPI publish actions; adjusts YAML formatting.
.github/workflows/check-code-quality.yml Pins checkout and uv setup actions to full commit SHAs.
.github/workflows/check-build-reproducibility.yml Pins checkout, uv setup, and setup-xcode actions to full commit SHAs.
.github/workflows/build-test-release.yml Pins a broad set of actions (checkout, uv setup, artifacts, xcode, cibuildwheel, miniconda, releases) to full commit SHAs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/build-test-release.yml
Comment thread .github/workflows/ci.yml
@mgovers
require github actions to be pinned to commit SHA
ffd74c3 
Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
@mgovers mgovers force-pushed the pgm/feature/github-actions-commit-sha branch from a4c1c96 to ffd74c3 Compare April 16, 2026 06:34
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 16, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mgovers mgovers added the dependencies Pull requests that update a dependency file label Apr 16, 2026
@mgovers mgovers enabled auto-merge April 16, 2026 07:23
@mgovers mgovers added this pull request to the merge queue Apr 16, 2026
This was referenced Apr 16, 2026
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged via the queue into main with commit 238c1ee Apr 16, 2026
33 checks passed
@mgovers mgovers deleted the pgm/feature/github-actions-commit-sha branch April 16, 2026 08:38
@figueroa1395 figueroa1395 mentioned this pull request Apr 17, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@TonyXiang8787 TonyXiang8787 TonyXiang8787 approved these changes

Assignees

@mgovers mgovers

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mgovers @TonyXiang8787