Skip to content

v5.3.6

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 Nov 20:07
v5.3.6
c7983ef
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Use commit SHA with version comments for all workflow action references (#239)

Standardize all GitHub Actions workflow references to use commit SHAs with version comments instead of mutable tags, ensuring deterministic builds and supply chain security.

Changes

  • GitHub Actions: Updated actions/checkout, actions/download-artifact, actions/upload-artifact, actions/upload-pages-artifact, actions/configure-pages, actions/deploy-pages to SHA references
  • PSModule Actions: Updated all PSModule actions (Auto-Release, Document-PSModule, GitHub-Script, Build-PSModule, Install-PSModuleHelpers, Get-PesterCodeCoverage, Get-PesterTestResults, Invoke-ScriptAnalyzer, Test-PSModule, Invoke-Pester, Publish-PSModule) to SHA references
  • 13 workflow files updated in .github/workflows/

Format

# Before
uses: actions/checkout@v6

# After  
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

Dependabot supports SHA references for automated update PRs.

Original prompt

This section details on the original issue you should resolve

<issue_title>🩹 [Patch]: Use commit SHA with specific version comments for all workflow action references</issue_title>
<issue_description>### Describe the change

Standardize all GitHub Actions workflow references in this repository so that every action uses a commit SHA, with a comment specifying the most specific version tag (e.g., # v1.2.3).

Why:

  • Ensures deterministic builds and protects against unexpected updates or supply chain attacks.
  • Improves maintainability and readability by documenting the exact version in use.

Examples:
✅ Correct:

  - name: Checkout Code
    uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v1.2.3
    with:
      persist-credentials: false

❌ Incorrect:

  - name: Checkout Code
    uses: actions/checkout@v1

Scope of change:

  • Update all workflow files in .github/workflows/*. yml to reference actions by SHA with a version comment, instead of by tag.
  • Use the most specific version tag in comments (e.g., v1.2.3 instead of v1).
  • Affected actions may include but are not limited to: actions/checkout, actions/download-artifact, actions/upload-artifact, actions/configure-pages, actions/deploy-pages, custom PSModule actions, etc.
  • Ensure CI and linting checks do not break.
  • Document changes in affected files.

Security Note:
Dependabot is configured to notify and create PRs when upstream actions/workflows update. Dependabot supports SHA references, so using them does not reduce security or update capabilities.

Acceptance:

  • All workflows use commit SHA with a version comment specifying the most specific tag
  • No workflows reference actions by tag (e.g., @v1)
  • All CI/CD checks pass
  • Documentation is updated as needed</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Assets 2
Loading