🔒 Security: Pin all GitHub Actions to commit SHAs#15225
🔒 Security: Pin all GitHub Actions to commit SHAs#15225bidfox wants to merge 1 commit intofastapi:masterfrom
Conversation
This PR pins all GitHub Actions to their full commit SHAs instead of mutable version tags, protecting against tag-poisoning attacks like the recent TeamPCP supply chain campaign (March 2026). Changes: - Pin all 18 unique actions across 19 workflow files to SHA - Add version comments for readability (# v6, # v7, etc.) - Pin Docker image to digest hash Actions pinned: - actions/checkout @v5, @v6 - actions/setup-python @v6 - actions/upload-artifact @v7 - actions/download-artifact @v8 - actions/cache @v5 - actions/labeler @v6 - actions/add-to-project @v1.0.2 - astral-sh/setup-uv @v7 - cloudflare/wrangler-action @V3 - CodSpeedHQ/action @v4 - dorny/paths-filter @v4 - eps1lon/actions-label-merge-conflict @v3.0.3 - mxschmitt/action-tmate @V3 - pre-commit-ci/lite-action @v1.1.0 - re-actors/alls-green @release/v1 - tiangolo/issue-manager @0.6.0 - tiangolo/latest-changes @0.4.1 - agilepathway/pull-request-label-checker (Docker) Security benefit: Tag-pinned actions can be silently modified if the upstream repository is compromised. SHA pinning ensures immutability. Dependabot/Renovate can auto-update SHA pins safely. Co-Authored-By: Claude Opus 4.5 <[email protected]>
📝 Docs previewLast commit 995a2a5 at: https://8360ccea.fastapitiangolo.pages.dev |
There was a problem hiding this comment.
@bidfox, thanks for pointing to this!
This will definitely be less convenient (we don't see what is the version used; comments will stale if we forget to update them on upgrade (upd: seems that Dependabot will update comment automatically)), but this seems to be a recommended approach: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions.
Would be nice to have both (version number and commit ssh) at the same time, but it seems that there is no way to do this currently.
Let's wait for Sebastian to validate the idea, then I will check commit SHAs and check\adjust the Dependabot's config
| steps: | ||
| - name: Check if PRs have merge conflicts | ||
| uses: eps1lon/actions-label-merge-conflict@v3 | ||
| uses: eps1lon/actions-label-merge-conflict@636b369ea34ff799b8db5182df6f19e39b2d4adb # v3.0.3 |
There was a problem hiding this comment.
| python-version-file: ".python-version" | ||
| - name: Setup uv | ||
| uses: astral-sh/setup-uv@v7 | ||
| uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 |
There was a problem hiding this comment.
| run: uv sync --no-dev --group tests --extra all | ||
| - name: CodSpeed benchmarks | ||
| uses: CodSpeedHQ/action@v4 | ||
| uses: CodSpeedHQ/action@dfaf2584d705312e4ab4e23a4dd3e2f56b71ef3b # v4 |
There was a problem hiding this comment.
This is wrong: https://github.com/CodSpeedHQ/action/releases/tag/v4.12.1
And looks like dfaf2584d705312e4ab4e23a4dd3e2f56b71ef3b doesn't even exist
2 participants
Summary
This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags, protecting against tag-poisoning supply chain attacks.
@abc123 # v6)Security Context
Mutable tags like
@v6or@latestcan be silently modified if the upstream repository is compromised. In March 2026, the TeamPCP supply chain campaign demonstrated this attack vector:trivy-actionrepositoryaquasecurity/[email protected]silently pulled malicious codeSHA-pinning eliminates this attack vector entirely. The pinned commit cannot change — any modification would result in a hash mismatch.
Actions Pinned
actions/checkout93cb6efe18208431cddfb8368fd83d5badbf9bfdactions/checkoutde0fac2e4500dabe0009e67214ff5f5447ce83ddactions/setup-pythona309ff8b426b58ec0e2a45f0f869d46889d02405actions/upload-artifactbbbca2ddaa5d8feaa63e36b76fdaad77386f024factions/download-artifact3e5f45b2cfb9172054b4087a40e8e0b5a5461e7cactions/cache668228422ae6a00e4ad889ee87cd7109ec5666a7actions/labeler634933edcd8ababfe52f92936142cc22ac488b1bactions/add-to-project244f685bbc3b7adfa8466e08b698b5577571133eastral-sh/setup-uv94527f2e458b27549849d47d273a16bec83a01e9cloudflare/wrangler-actionda0e0dfe58b7a431659754fdf3f186c529afbe65CodSpeedHQ/actiondfaf2584d705312e4ab4e23a4dd3e2f56b71ef3bdorny/paths-filterfbd0ab8f3e69293af611ebaee6363fc25e6d187deps1lon/actions-label-merge-conflict636b369ea34ff799b8db5182df6f19e39b2d4adbmxschmitt/action-tmatec0afd6f790e3a5564914980036ebf83216678101pre-commit-ci/lite-action5d6cc0eb514c891a40562a58a8e71576c5c7fb43re-actors/alls-green05ac9388f0aebcb5727afa17fcccfecd6f8ec5fetiangolo/issue-manager2fb3484ec9279485df8659e8ec73de262431737dtiangolo/latest-changesc9d329cb147f0ddf4fb631214e3f838ff17ccbbdagilepathway/pull-request-label-checkersha256:14f5f3dfda922496d07d53494e2d2b42885165f90677a1c03d600059b7706a61Maintaining SHA Pins
Dependabot or Renovate can automatically update SHA pins when new versions are released, maintaining both security and currency. Example Dependabot config:
Test plan
🤖 Generated with Claude Code