Skip to content

ci: pin GitHub Actions to full commit SHAs#63593

Open
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:fix/pin-actions-1782618863
Open

ci: pin GitHub Actions to full commit SHAs#63593
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:fix/pin-actions-1782618863

Conversation

@XananasX7

Copy link
Copy Markdown

Pin unpinned GitHub Actions to immutable commit SHAs. Defense against supply-chain attacks via mutable tags. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin unpinned action references to immutable commit SHAs.
Version tags retained as inline comments.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Copilot AI review requested due to automatic review settings June 28, 2026 03:54
@github-project-automation github-project-automation Bot moved this to Not started in PR Backlog Jun 28, 2026
@typescript-automation

Copy link
Copy Markdown

This PR doesn't have any linked issues. Please open an issue that references this PR. From there we can discuss and prioritise.

1 similar comment
@typescript-automation

Copy link
Copy Markdown

This PR doesn't have any linked issues. Please open an issue that references this PR. From there we can discuss and prioritise.

@typescript-automation typescript-automation Bot added the For Uncommitted Bug PR for untriaged, rejected, closed or missing bug label Jun 28, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the microsoft/TypeScript-Twoslash-Repro-Action GitHub Action in the twoslash-repros workflow to an immutable commit SHA to reduce supply-chain risk from mutable refs, while keeping the original ref as an inline comment.

Changes:

  • Replace @master with a full commit SHA for microsoft/TypeScript-Twoslash-Repro-Action.
  • Preserve the prior ref (master) as an inline comment for traceability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

For Uncommitted Bug PR for untriaged, rejected, closed or missing bug

Projects

Status: Not started

Development

Successfully merging this pull request may close these issues.

2 participants