Skip to content

CI: Pin GitHub Actions to commit SHAs#155089

Open
Turbo87 wants to merge 1 commit intorust-lang:mainfrom
Turbo87:pin-github-actions
Open

CI: Pin GitHub Actions to commit SHAs#155089
Turbo87 wants to merge 1 commit intorust-lang:mainfrom
Turbo87:pin-github-actions

Conversation

@Turbo87
Copy link
Copy Markdown
Member

@Turbo87 Turbo87 commented Apr 10, 2026
edited
Loading

Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us.

  • actions/checkout → v6.0.2
  • actions/upload-artifact → v7.0.0
  • actions/download-artifact → v4.3.0

actions/checkout is bumped from v5 to v6 at the same time. v6 stores the git credentials outside the working tree, so it can no longer be picked up by subsequent actions/upload-artifact steps (see "artipacked" link below).

See https://docs.zizmor.sh/audits/#unpinned-uses and https://docs.zizmor.sh/audits/#artipacked

@Turbo87
CI: Pin GitHub Actions to commit SHAs
913f017 
Pin all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.

- actions/checkout          → v6.0.2
- actions/upload-artifact   → v7.0.0
- actions/download-artifact → v4.3.0

`actions/checkout` is bumped from v5 to v6 at the same time. v6
stores the git credentials outside the working tree, so it can no
longer be picked up by subsequent `actions/upload-artifact` steps.

See https://docs.zizmor.sh/audits/#unpinned-uses
and https://docs.zizmor.sh/audits/#artipacked
@rustbot rustbot added A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue. labels Apr 10, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Apr 10, 2026

r? @jdno

rustbot has assigned @jdno.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: infra-ci
  • infra-ci expanded to Kobzol, Mark-Simulacrum, jdno, jieyouxu, marcoieni
  • Random selection from Mark-Simulacrum, jdno, marcoieni

@bjorn3
Copy link
Copy Markdown
Member

bjorn3 commented Apr 10, 2026

I'm surprised official github actions don't use immutable releases yet.

@Turbo87
Copy link
Copy Markdown
Member Author

Turbo87 commented Apr 10, 2026

yeah, same, but unfortunately that seems to be the case. once they switch to immutable releases we can consider going back, although we would then still need to use the full version tags (v1.2.3 instead of v1) to take advantage.

@Turbo87
Copy link
Copy Markdown
Member Author

Turbo87 commented Apr 16, 2026

r? @marcoieni

@rustbot rustbot assigned marcoieni and unassigned jdno Apr 16, 2026
@marcoieni
Copy link
Copy Markdown
Member

marcoieni commented Apr 16, 2026

I think it's better to setup renovate and let it do this job. Otherwise we need to update these actions manually after we merge this. Or worse, these actions don't get updated.

@marcoieni
Copy link
Copy Markdown
Member

marcoieni commented Apr 16, 2026
edited
Loading

At the moment renovate isn't enabled in this repo.

So we should

  1. enable forking-renovate for this repo in the team repo
  2. Change https://github.com/rust-lang/rust/blob/main/.github/renovate.json5 to only update github actions

Wdyt?

@Turbo87
Copy link
Copy Markdown
Member Author

Turbo87 commented Apr 30, 2026

Wdyt?

sounds good to me, but at least the first step requires permissions that I don't have :D

@marcoieni
Copy link
Copy Markdown
Member

marcoieni commented Apr 30, 2026

you can raise a PR in the team repo 👍
https://github.com/rust-lang/team/blob/1ca47b16836646d7a5adfb38d4440d6a597a4b05/repos/rust-lang/team.toml#L4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@marcoieni marcoieni

Labels

A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Turbo87 @rustbot @bjorn3 @marcoieni @jdno