Skip to content

chore: Pin GitHub Actions#96

Merged
gjtorikian merged 1 commit intomainfrom
chore/pin-github-actions
Mar 2, 2026
Merged

chore: Pin GitHub Actions#96
gjtorikian merged 1 commit intomainfrom
chore/pin-github-actions

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026
edited
Loading

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

@greptile-apps
Copy link

greptile-apps bot commented Feb 26, 2026

Greptile Summary

This PR hardens CI/CD security by pinning all third-party GitHub Actions to immutable commit SHAs instead of mutable version tags, making the workflow supply chain deterministic and auditable.

  • All actions in main.yml, release-please.yml, and the new lint-pr-title.yml are now pinned with version comments for traceability
  • The new PR title validation workflow uses pull_request_target appropriately with read-only permissions and no code checkout
  • Added .vscode/settings.json for consistent YAML formatting in workflow files

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - implements security best practices for GitHub Actions
  • All changes are configuration-only, improve security posture, follow GitHub's recommended practices for action pinning, and include version comments for maintainability. No functional code changes or security risks introduced.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/lint-pr-title.yml New workflow file added with SHA-pinned action for PR title validation using pull_request_target with read-only permissions
.github/workflows/main.yml All GitHub Actions updated from version tags (v3, v4) to commit SHA pins with version comments for traceability
.github/workflows/release-please.yml GitHub Actions pinned to specific commit SHAs for release workflow and publishing job

Last reviewed commit: 548e22b

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@gjtorikian gjtorikian force-pushed the chore/pin-github-actions branch from 548e22b to 09858e9 Compare February 26, 2026 19:48
@gjtorikian gjtorikian changed the title Pin GitHub Actions chore: Pin GitHub Actions Feb 26, 2026
@gjtorikian gjtorikian merged commit 2bd8b11 into main Mar 2, 2026
6 checks passed
@gjtorikian gjtorikian deleted the chore/pin-github-actions branch March 2, 2026 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@marji-workos marji-workos marji-workos approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian @marji-workos