Browse Source
This PR pins all GitHub Actions to their full commit SHAs instead of mutable version tags, protecting against tag-poisoning attacks like the recent TeamPCP supply chain campaign (March 2026). Changes: - Pin all 18 unique actions across 19 workflow files to SHA - Add version comments for readability (# v6, # v7, etc.) - Pin Docker image to digest hash Actions pinned: - actions/checkout @v5, @v6 - actions/setup-python @v6 - actions/upload-artifact @v7 - actions/download-artifact @v8 - actions/cache @v5 - actions/labeler @v6 - actions/add-to-project @v1.0.2 - astral-sh/setup-uv @v7 - cloudflare/wrangler-action @v3 - CodSpeedHQ/action @v4 - dorny/paths-filter @v4 - eps1lon/actions-label-merge-conflict @v3.0.3 - mxschmitt/action-tmate @v3 - pre-commit-ci/lite-action @v1.1.0 - re-actors/alls-green @release/v1 - tiangolo/issue-manager @0.6.0 - tiangolo/latest-changes @0.4.1 - agilepathway/pull-request-label-checker (Docker) Security benefit: Tag-pinned actions can be silently modified if the upstream repository is compromised. SHA pinning ensures immutability. Dependabot/Renovate can auto-update SHA pins safely. Co-Authored-By: Claude Opus 4.5 <[email protected]>pull/15225/head
19 changed files with 85 additions and 85 deletions
@ -12,7 +12,7 @@ jobs: |
|||||
name: Add to project |
name: Add to project |
||||
runs-on: ubuntu-latest |
runs-on: ubuntu-latest |
||||
steps: |
steps: |
||||
- uses: actions/[email protected] |
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2 |
||||
with: |
with: |
||||
project-url: https://github.com/orgs/fastapi/projects/2 |
project-url: https://github.com/orgs/fastapi/projects/2 |
||||
github-token: ${{ secrets.PROJECTS_TOKEN }} |
github-token: ${{ secrets.PROJECTS_TOKEN }} |
||||
|
|||||
@ -27,7 +27,7 @@ jobs: |
|||||
env: |
env: |
||||
GITHUB_CONTEXT: ${{ toJson(github) }} |
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
run: echo "$GITHUB_CONTEXT" |
run: echo "$GITHUB_CONTEXT" |
||||
- uses: tiangolo/[email protected] |
- uses: tiangolo/issue-manager@2fb3484ec9279485df8659e8ec73de262431737d # 0.6.0 |
||||
with: |
with: |
||||
token: ${{ secrets.GITHUB_TOKEN }} |
token: ${{ secrets.GITHUB_TOKEN }} |
||||
config: > |
config: > |
||||
|
|||||
@ -26,17 +26,17 @@ jobs: |
|||||
run: echo "$GITHUB_CONTEXT" |
run: echo "$GITHUB_CONTEXT" |
||||
# pin to actions/checkout@v5 for compatibility with latest-changes |
# pin to actions/checkout@v5 for compatibility with latest-changes |
||||
# Ref: https://github.com/actions/checkout/issues/2313 |
# Ref: https://github.com/actions/checkout/issues/2313 |
||||
- uses: actions/checkout@v5 |
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 |
||||
with: |
with: |
||||
# To allow latest-changes to commit to the main branch |
# To allow latest-changes to commit to the main branch |
||||
token: ${{ secrets.FASTAPI_LATEST_CHANGES }} |
token: ${{ secrets.FASTAPI_LATEST_CHANGES }} |
||||
# Allow debugging with tmate |
# Allow debugging with tmate |
||||
- name: Setup tmate session |
- name: Setup tmate session |
||||
uses: mxschmitt/action-tmate@v3 |
uses: mxschmitt/action-tmate@c0afd6f790e3a5564914980036ebf83216678101 # v3 |
||||
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} |
if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.debug_enabled == 'true' }} |
||||
with: |
with: |
||||
limit-access-to-actor: true |
limit-access-to-actor: true |
||||
- uses: tiangolo/[email protected] |
- uses: tiangolo/latest-changes@c9d329cb147f0ddf4fb631214e3f838ff17ccbbd # 0.4.1 |
||||
with: |
with: |
||||
token: ${{ secrets.GITHUB_TOKEN }} |
token: ${{ secrets.GITHUB_TOKEN }} |
||||
latest_changes_file: docs/en/docs/release-notes.md |
latest_changes_file: docs/en/docs/release-notes.md |
||||
|
|||||
@ -18,7 +18,7 @@ jobs: |
|||||
env: |
env: |
||||
GITHUB_CONTEXT: ${{ toJson(github) }} |
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
run: echo "$GITHUB_CONTEXT" |
run: echo "$GITHUB_CONTEXT" |
||||
- uses: actions/checkout@v5 |
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 |
||||
name: Checkout PR for own repo |
name: Checkout PR for own repo |
||||
if: env.HAS_SECRETS == 'true' |
if: env.HAS_SECRETS == 'true' |
||||
with: |
with: |
||||
@ -30,7 +30,7 @@ jobs: |
|||||
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI |
# A token other than the default GITHUB_TOKEN is needed to be able to trigger CI |
||||
token: ${{ secrets.PRE_COMMIT }} |
token: ${{ secrets.PRE_COMMIT }} |
||||
# pre-commit lite ci needs the default checkout configs to work |
# pre-commit lite ci needs the default checkout configs to work |
||||
- uses: actions/checkout@v5 |
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 |
||||
name: Checkout PR for fork |
name: Checkout PR for fork |
||||
if: env.HAS_SECRETS == 'false' |
if: env.HAS_SECRETS == 'false' |
||||
with: |
with: |
||||
@ -38,11 +38,11 @@ jobs: |
|||||
ref: ${{ github.event.pull_request.head.sha }} |
ref: ${{ github.event.pull_request.head.sha }} |
||||
fetch-depth: 0 |
fetch-depth: 0 |
||||
- name: Set up Python |
- name: Set up Python |
||||
uses: actions/setup-python@v6 |
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 |
||||
with: |
with: |
||||
python-version-file: ".python-version" |
python-version-file: ".python-version" |
||||
- name: Setup uv |
- name: Setup uv |
||||
uses: astral-sh/setup-uv@v7 |
uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 |
||||
with: |
with: |
||||
cache-dependency-glob: | |
cache-dependency-glob: | |
||||
pyproject.toml |
pyproject.toml |
||||
@ -65,7 +65,7 @@ jobs: |
|||||
git commit -m "🎨 Auto format" |
git commit -m "🎨 Auto format" |
||||
git push |
git push |
||||
fi |
fi |
||||
- uses: pre-commit-ci/[email protected] |
- uses: pre-commit-ci/lite-action@5d6cc0eb514c891a40562a58a8e71576c5c7fb43 # v1.1.0 |
||||
if: env.HAS_SECRETS == 'false' |
if: env.HAS_SECRETS == 'false' |
||||
with: |
with: |
||||
msg: 🎨 Auto format |
msg: 🎨 Auto format |
||||
@ -85,6 +85,6 @@ jobs: |
|||||
GITHUB_CONTEXT: ${{ toJson(github) }} |
GITHUB_CONTEXT: ${{ toJson(github) }} |
||||
run: echo "$GITHUB_CONTEXT" |
run: echo "$GITHUB_CONTEXT" |
||||
- name: Decide whether the needed jobs succeeded or failed |
- name: Decide whether the needed jobs succeeded or failed |
||||
uses: re-actors/alls-green@release/v1 |
uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1 |
||||
with: |
with: |
||||
jobs: ${{ toJSON(needs) }} |
jobs: ${{ toJSON(needs) }} |
||||
|
|||||
Loading…
Reference in new issue