chore(ci): pin third-party actions to commit SHA#13
Merged
Conversation
xaviedoanhduy
force-pushed
the
fix/sha-pin-third-party-actions
branch
from
2a0f89a to
3a81145
Compare
xaviedoanhduy
changed the title
Contributor
but any reason not to do it? |
- astral-sh/setup-uv: upgrade v5 → v8.1.0, pin to commit SHA. The setup-uv README demonstrates SHA-pinned usage in all examples. - python-semantic-release: bump v10.5.2 → v10.5.3, pin to commit SHA. GitHub-owned actions/* (checkout, cache) kept on version tags — pragmatic stance matching trobz/odoo-modules convention. Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
xaviedoanhduy
force-pushed
the
fix/sha-pin-third-party-actions
branch
from
3a81145 to
30f9c97
Compare
xaviedoanhduy
changed the title
Member
Author
fair point — no strong reason not to. |
nilshamerlinck
approved these changes
May 13, 2026
Collaborator
|
@xaviedoanhduy Need to impact /template/{% if enable_github_action %}.github{% endif%} correct ? |
2 tasks
Member
Author
good catch, thanks followup in: #14 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
External GitHub Actions have mutable tags — an attacker (or compromised maintainer)
can re-point a tag like
@v5to malicious code. Pinning to a full commit SHA givesus an immutable reference. This is GitHub's recommended security practice:
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
This matches the convention already in
trobz/odoo-modules(regenerate-pages.yml).What
astral-sh/setup-uv: upgradev5 → v8.1.0and pin to commit SHA.The setup-uv README uses SHA-pinned format in all examples.
python-semantic-release/python-semantic-release: bumpv10.5.2 → v10.5.3and pin to commit SHA.GitHub-owned
actions/*(checkout, cache) kept on version tags — pragmatic stance,matches
odoo-modules/regenerate-pages.yml. Upstreamactions/*docs don't advocate SHA pinning.Test plan
pre-commit.yaml— verify green with setup-uv v8release.yamlruns python-semantic-release v10.5.3 SHAenable-cache: true)Related: trobz/minisite-internal#11 (blog post recommending this pattern).