Skip to content

Pin GitHub Actions to immutable SHAs while preserving tag tracking#258

Merged
jkowalleck merged 2 commits into
mainfrom
copilot/chore-pin-github-action
Apr 23, 2026
Merged

Pin GitHub Actions to immutable SHAs while preserving tag tracking#258
jkowalleck merged 2 commits into
mainfrom
copilot/chore-pin-github-action

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 15, 2026
edited
Loading

This updates the workflow to keep action versions anchored to their current major tags while pinning execution to exact commits. It closes the gap where tag movement could change CI behavior unexpectedly, without losing Dependabot’s ability to detect upstream updates.

  • Workflow hardening

    • Replaced tag-only uses: references in .github/workflows/php.yml with commit-pinned references for:
      • actions/checkout
      • actions/upload-artifact
      • shivammathur/setup-php

  • Dependabot-friendly pin format

    • Kept the major tag as an inline comment (# v6, # v2) next to each SHA pin so update tooling can still infer intended tag lineage.

Example pattern now used:

uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
uses: shivammathur/setup-php@728c6c6b8cf02c2e48117716a91ee48313958a19 # v2
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/doctrine/instantiator/zipball/c6222283fa3f4ac679f8b9ced9a4e23f163e80d0
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/myclabs/DeepCopy/zipball/07d290f0c47959fd5eed98c95ee5602db07e0b6a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/nikic/PHP-Parser/zipball/dca41cd15c2ac9d055ad70dbfd011130757d1f82
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/phar-io/manifest/zipball/54750ef60c58e43759730615a392c31c80e23176
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/phar-io/version/zipball/4f7fd7836c6f332bb2933569e566a0d6c4cbed74
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/cli-parser/zipball/2b56bea83a09de3ac06bb18b92f068e60cc6f50b
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/code-unit-reverse-lookup/zipball/ac91f01ccec49fb77bdc6fd1e548bc70f7faa3e5
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/code-unit/zipball/1fc9f64c0927627ef78ba436c9b17d967e68e120
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/comparator/zipball/e4df00b9b3571187db2831ae9aada2c6efbd715d
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/complexity/zipball/25f207c40d62b8b7aa32f5ab026c53561964053a
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/diff/zipball/ba01945089c3a293b01ba9badc29ad55b106b0bc
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/environment/zipball/830c43a844f1f8d5b7a1f6d6076b784454d8b7ed
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/exporter/zipball/14c6ba52f95a36c3d27c835d65efc7123c446e8c
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/global-state/zipball/b6781316bdcd28260904e7cc18ec983d0d2ef4f6
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/lines-of-code/zipball/e1e4a170560925c26d424b6a03aed157e7dcc5c5
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/object-enumerator/zipball/5c9eeac41b290a3712d88851518825ad78f45c71
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/object-reflector/zipball/b4f479ebdbf63ac605d183ece17d8d7fe49c15c7
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/85402a822d1ecf1db1096959413d35e1c37cf1a5
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/php-file-iterator/zipball/cf1c2e7c203ac650e352f4cc675a7021e7d1b3cf
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/php-invoker/zipball/5a10147d0aaf65b58940a0b72f71c9ac0423cc67
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/php-text-template/zipball/5da5f67fc95621df9ff4c4e5a84d6a8a2acf7c28
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/php-timer/zipball/5a63ce20ed1b5bf577850e2c4e87f4aa902afbd2
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/phpunit/zipball/fea06253ecc0a32faf787bd31b261f56f351d049
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/recursion-context/zipball/539c6691e0623af6dc6f9c20384c120f963465a0
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/resource-operations/zipball/05d5692a7993ecccd56a03e40cd7e5b09b1d404e
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/type/zipball/75e2c2a32f5e0b3aef905b9ed0b179b953b3d7c7
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/sebastianbergmann/version/zipball/c6c1022351a901512170118436c764e473f6de8c
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)
  • https://api.github.com/repos/theseer/tokenizer/zipball/b7489ce515e168639d17feec34b8847c326b0b3c
    • Triggering command: /usr/bin/php8.3 /usr/bin/php8.3 -n -c /tmp/VOugse /usr/bin/composer install --no-interaction --no-progress --prefer-dist (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 15, 2026 that may be closed by this pull request
chore: pin github action #257
Closed
Copilot AI changed the title [WIP] Pin GitHub actions to specific commit hashes Pin GitHub Actions to immutable SHAs while preserving tag tracking Apr 15, 2026
Copilot AI requested a review from jkowalleck April 15, 2026 12:58
@jkowalleck jkowalleck marked this pull request as ready for review April 23, 2026 10:28
@jkowalleck jkowalleck merged commit e9c1d22 into main Apr 23, 2026
17 checks passed
@jkowalleck jkowalleck deleted the copilot/chore-pin-github-action branch April 23, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jkowalleck jkowalleck jkowalleck approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jkowalleck jkowalleck

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: pin github action

2 participants

@jkowalleck