Skip to content

chore: Pin GitHub Actions#332

Open
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions-2
Open

chore: Pin GitHub Actions#332
gjtorikian wants to merge 1 commit intomainfrom
chore/pin-github-actions-2

Conversation

@gjtorikian
Copy link
Contributor

@gjtorikian gjtorikian commented Feb 26, 2026

Summary

Pin all third-party GitHub Actions to immutable commit SHAs.

Why

Action tags (like v3, v4, main) can be moved or retagged, which means a future workflow run could execute different code than what we reviewed today. Pinning to SHAs makes the workflow supply chain deterministic and auditable, reducing the risk of action-level compromise or accidental breaking changes. We can still update intentionally by bumping the SHA.

@gjtorikian gjtorikian requested a review from a team as a code owner February 26, 2026 19:53
@gjtorikian gjtorikian requested a review from dandorman February 26, 2026 19:53
@gjtorikian gjtorikian changed the title Pin GitHub Actions chore: Pin GitHub Actions Feb 26, 2026
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 26, 2026

Greptile Summary

Pins all third-party GitHub Actions to immutable commit SHAs to improve supply chain security and auditability.

  • Replaces tag-based references (v4, v6, v8) with full commit SHAs
  • Includes version comments (e.g., # v6.0.2) for maintainability
  • Covers 5 actions across 3 workflow files: actions/checkout, actions/cache, actions/create-github-app-token, softprops/action-gh-release, and peter-evans/create-pull-request
  • Correctly leaves shivammathur/setup-php unchanged as it was already pinned

Confidence Score: 5/5

  • This PR is safe to merge with no risk
  • All changes are configuration-only, pinning GitHub Actions to SHAs is a security best practice, no logic changes, and all SHAs are properly formatted with version comments
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/ci.yml Pinned actions/checkout and actions/cache to immutable SHAs with version comments
.github/workflows/release.yml Pinned actions/create-github-app-token, actions/checkout, and softprops/action-gh-release to SHAs
.github/workflows/version-bump.yml Pinned actions/create-github-app-token, actions/checkout, and peter-evans/create-pull-request to SHAs

Last reviewed commit: d9b7d01

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@gjtorikian
Copy link
Contributor Author

gjtorikian commented Feb 27, 2026

Ah, thanks @mthadley, but you're not a member of the PHP team, so it won't unlock here. Don't you want to join it? Doesn't it sound like fun?

@mthadley
Copy link
Contributor

mthadley commented Feb 27, 2026

Ah, thanks @mthadley, but you're not a member of the PHP team, so it won't unlock here. Don't you want to join it? Doesn't it sound like fun?

I don't see why not! I'm already a member of nearly every other SDK team. 😆

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mthadley mthadley mthadley approved these changes

@dandorman dandorman Awaiting requested review from dandorman dandorman is a code owner automatically assigned from workos/php

+1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gjtorikian @mthadley