Skip to content

chore(ci): pin GitHub Actions to commit SHAs and disable persisted checkout credentials #39

Description

@amondnet

Background

AI reviewers (CodeRabbit, cubic) and zizmor SAST flagged the GitHub Actions in .github/workflows/ci.yml as using mutable version tags (@v4, @v2) rather than pinned commit SHAs, and noted the checkout step does not set persist-credentials: false. Surfaced on PR #38.

These are valid supply-chain hardening concerns (a compromised action maintainer can retarget a tag to malicious code; persisted credentials widen token exposure).

Why a separate issue

PR #38 only adds the link-check job. The flagged refs (actions/checkout@v4, jdx/mise-action@v2) appear identically across all jobs in ci.yml (test, build, lint, link-check) plus codecov/codecov-action@v5 — 8+ references total. Pinning only the 2 lines added by PR #38 would leave the workflow half-pinned and inconsistently hardened, giving a false sense of security. The correct fix is a dedicated, repo-wide pass.

Scope

  • Pin every third-party action across all .github/workflows/*.yml to a full commit SHA (with a trailing # vX.Y.Z comment)
  • Add persist-credentials: false to every actions/checkout step that does not need to push
  • Consider Dependabot for github-actions to keep pinned SHAs current

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    type:ciCI/CD configuration changes

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions