Skip to content

ci: pinned commit shas to github workflows#1770

Merged
Prashansa-K merged 2 commits intomainfrom
ci/pin-commit-shas
Sep 30, 2025
Merged

ci: pinned commit shas to github workflows#1770
Prashansa-K merged 2 commits intomainfrom
ci/pin-commit-shas

Conversation

@Prashansa-K
Copy link
Contributor

@Prashansa-K Prashansa-K commented Sep 30, 2025
edited
Loading

  • Pinning all modules used in GH workflows with commit SHAs.
  • Added a script that can help to fetch commit SHAs via GH API.
  • Added a new workflow that ensures that all actions are pinned.

This is a security enhancement. We are pinning all
third-party actions that are used in our GH workflows.
This is to ensure that an incident like this doesn't recur:

@codecov-commenter
Copy link

codecov-commenter commented Sep 30, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 32.71%. Comparing base (bb5d676) to head (939eaf3).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1770   +/-   ##
=======================================
  Coverage   32.71%   32.71%           
=======================================
  Files          73       73           
  Lines        8112     8112           
=======================================
  Hits         2654     2654           
  Misses       5292     5292           
  Partials      166      166

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Prashansa-K
Copy link
Contributor Author

Prashansa-K commented Sep 30, 2025

Validation workflow also tried out with this branch: https://github.com/Kong/deck/actions/runs/18119430656/job/51561297841

@harshadixit12
Copy link
Contributor

harshadixit12 commented Sep 30, 2025

@Prashansa-K can you add the reason for these changes as well?

@Prashansa-K
Copy link
Contributor Author

Prashansa-K commented Sep 30, 2025

@Prashansa-K can you add the reason for these changes as well?

Updated the description. Does that help?

Prashansa-K
Prashansa-K commented Sep 30, 2025
View reviewed changes
scripts/get-action-commit-shas.sh
@@ -0,0 +1,102 @@
#!/bin/bash
Copy link
Contributor Author

@Prashansa-K Prashansa-K Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generated script.

harshadixit12
harshadixit12 reviewed Sep 30, 2025
View reviewed changes
.github/workflows/security.yaml
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
Copy link
Contributor

@harshadixit12 harshadixit12 Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not a blocker, calling out for visibility - but we seem to be using 2.11.1 in other workflows.

@Prashansa-K Prashansa-K merged commit bfe30f1 into main Sep 30, 2025
36 checks passed
@Prashansa-K Prashansa-K deleted the ci/pin-commit-shas branch September 30, 2025 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@harshadixit12 harshadixit12 harshadixit12 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Prashansa-K @codecov-commenter @harshadixit12