Skip to content

ci: pin GitHub Actions to full commit SHAs#63594

Open
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:fix/pin-actions-1782618890
Open

ci: pin GitHub Actions to full commit SHAs#63594
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:fix/pin-actions-1782618890

Conversation

@XananasX7

Copy link
Copy Markdown

Pin unpinned GitHub Actions to immutable commit SHAs. Defense against supply-chain attacks via mutable tags. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

Pin unpinned action references to immutable commit SHAs.
Version tags retained as inline comments.

See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Copilot AI review requested due to automatic review settings June 28, 2026 03:55
@typescript-automation typescript-automation Bot added the For Uncommitted Bug PR for untriaged, rejected, closed or missing bug label Jun 28, 2026
@github-project-automation github-project-automation Bot moved this to Not started in PR Backlog Jun 28, 2026
@typescript-automation

Copy link
Copy Markdown

This PR doesn't have any linked issues. Please open an issue that references this PR. From there we can discuss and prioritise.

1 similar comment
@typescript-automation

Copy link
Copy Markdown

This PR doesn't have any linked issues. Please open an issue that references this PR. From there we can discuss and prioritise.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s CI by replacing a mutable GitHub Action reference (@master) with an immutable full commit SHA, reducing supply-chain risk while keeping the original ref as an inline comment for traceability.

Changes:

  • Pin microsoft/TypeScript-Twoslash-Repro-Action from @master to a full commit SHA.
  • Preserve the prior ref (master) as an inline comment for easy provenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

For Uncommitted Bug PR for untriaged, rejected, closed or missing bug

Projects

Status: Not started

Development

Successfully merging this pull request may close these issues.

2 participants