Skip to content

chore(ci): pin GitHub Actions to commit SHAs#12

Open
apokusin wants to merge 1 commit into
mainfrom
chore/pin-actions-to-sha
Open

chore(ci): pin GitHub Actions to commit SHAs#12
apokusin wants to merge 1 commit into
mainfrom
chore/pin-actions-to-sha

Conversation

@apokusin
Copy link
Copy Markdown
Contributor

@apokusin apokusin commented May 12, 2026

Summary

  • Pins every third-party action used in `changesets.yml`, `verify.yml`, and the local `install-dependencies` composite to a full commit SHA, with the original tag preserved as a trailing comment.
  • Motivated by the TanStack npm supply-chain compromise: floating tags like `@v4` can be retargeted by an attacker who compromises the upstream action repo, silently swapping in malicious code on the next workflow run.

Pinned versions

Action Tag SHA
actions/checkout v4 34e114876b0b11c390a56381ad16ebd13914f8d5
actions/setup-node v4 49933ea5288caeca8642d1e84afbd3f7d6820020
pnpm/action-setup v4 b906affcce14559ad1aafd4ab0e942779e9f58b1
crazy-max/ghaction-import-gpg v6 e89d40939c28e39f97cf32126055eeae86ba74ec
changesets/action v1.8.0 63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b

Test plan

  • Verify CI passes on this PR (proves the pinned SHAs resolve and behave identically).

🤖 Generated with Claude Code

@apokusin @claude
chore(ci): pin GitHub Actions to commit SHAs
0bb2c10 
Pins all third-party actions to commit SHAs (with the original tag as a
comment) so that tag retargeting cannot inject code into the release or
verify workflows.

- actions/checkout@v4            → 34e114876b0b11c390a56381ad16ebd13914f8d5
- actions/setup-node@v4          → 49933ea5288caeca8642d1e84afbd3f7d6820020
- pnpm/action-setup@v4           → b906affcce14559ad1aafd4ab0e942779e9f58b1
- crazy-max/ghaction-import-gpg@v6 → e89d40939c28e39f97cf32126055eeae86ba74ec
- changesets/action@v1           → 63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b (v1.8.0)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 12, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 moonwell-api 0bb2c10 May 12 2026, 04:59 PM

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 12, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs		 moonwell-ai 0bb2c10 May 12 2026, 05:00 PM

@imthatcarlos imthatcarlos mentioned this pull request May 12, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@apokusin