composer-patches-plugin icon indicating copy to clipboard operation
composer-patches-plugin copied to clipboard
verified publisher icon netresearch

Security: Pin GitHub Actions to commit SHAs

Open CybotTM opened this issue 2 months ago • 0 comments

Summary

This PR addresses GitHub Actions security alerts by pinning all third-party actions to their full commit SHAs instead of version tags.

Changes

Actions Pinned to Commit SHAs

All GitHub Actions in the CI workflow have been pinned to their full 40-character commit SHAs:

  • actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 (v6.0.1)
  • actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb (v5.0.1)
  • shivammathur/setup-php@d59004228537ca90c8dca680592a08a675bf52b6 (v2)
  • codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de (v5.5.2)
  • symfonycorp/security-checker-action@88efed75353c0480777568aa3969c6f2b8f6c635 (v5)

Permissions Already Set

The workflow files already have explicit permissions: blocks:

  • ci.yml: Has permissions: contents: read at workflow level and job level
  • auto-merge-deps.yml: Has permissions: contents: write, pull-requests: write at workflow level

Security Benefits

Pinning actions to commit SHAs instead of version tags provides protection against:

  1. Tag Manipulation: Malicious actors cannot move version tags to point to compromised commits
  2. Supply Chain Attacks: Even if an action's repository is compromised, the pinned SHA ensures the exact code that was reviewed is used
  3. Immutability: Commit SHAs are immutable, while tags can be moved or deleted

Testing

The changes are non-functional - they pin the same versions currently in use to their exact commit SHAs. All existing CI checks should continue to pass.

References

CybotTM avatar Dec 19 '25 10:12 CybotTM