[release/v7.6.1] [StepSecurity] ci: Harden GitHub Actions tags#27236
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
daxian-dbw
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.6.1 that hardens GitHub Actions usage by replacing mutable action tags with immutable commit SHAs across CI workflows and composite actions.
Changes:
- Pinned
actions/checkoutandactions/setup-dotnet(and severalactions/github-script/ artifact actions) to specific commit SHAs in release-branch workflows. - Updated internal composite actions under
.github/actions/**to use pinned action SHAs where modified. - Kept release-branch workflow structure while applying tag-hardening updates.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| - analyze | ||
| - windows_packaging | ||
| if: always() | ||
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 |
There was a problem hiding this comment.
ready_to_merge still references the reusable workflow via a mutable tag (PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0). To fully harden workflow dependencies, pin this to an immutable commit SHA (and optionally keep the version comment) like the other uses: updates in this PR.
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 | |
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@<40-character-commit-sha> # v1.0.0 |
| - infrastructure_tests | ||
| # - analyze | ||
| if: always() | ||
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 |
There was a problem hiding this comment.
ready_to_merge is still consuming PowerShell/compliance/.github/workflows/ready-to-merge.yml via the mutable @v1.0.0 tag. If this PR is intended to harden all workflow dependencies, this should be pinned to a specific commit SHA as well.
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 | |
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1_0_0> |
| - macos_test_unelevated_ci | ||
| - macos_test_unelevated_others | ||
| if: always() | ||
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 |
There was a problem hiding this comment.
The ready_to_merge job still uses PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0, which is a mutable tag. Consider pinning the reusable workflow reference to a commit SHA to match the tag-hardening goal of this change set.
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 | |
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@<FULL_40_CHARACTER_COMMIT_SHA_FOR_V1_0_0> |
| @@ -53,4 +53,4 @@ jobs: | |||
| if: always() | |||
| with: | |||
| name: ${{ inputs.test_results_artifact_name }} | |||
| path: ${{ github.workspace }}/xUnitTestResults.xml | |||
| path: ${{ github.workspace }}/xUnitTestResults.xml No newline at end of file | |||
There was a problem hiding this comment.
The Upload xUnit results step still uses actions/upload-artifact@v7 (mutable tag). To complete the action hardening in this workflow, pin actions/upload-artifact to an immutable commit SHA (as done for checkout/setup-dotnet).
| - name: Upload Build Artifacts | ||
| if: always() | ||
| uses: actions/upload-artifact@v7 | ||
| with: | ||
| name: windows-packaging-${{ matrix.architecture }}-${{ matrix.channel }} |
There was a problem hiding this comment.
The Upload Build Artifacts step still references actions/upload-artifact@v7 (mutable tag). For consistent action hardening, pin actions/upload-artifact to a full commit SHA.
There was a problem hiding this comment.
While actions/setup-dotnet is now pinned, this composite action still references actions/download-artifact@v4 later in the file via a mutable tag. To fully harden action dependencies, pin actions/download-artifact to an immutable commit SHA as well.
Backport of #27201 to release/v7.6.1
Triggered by @daxian-dbw on behalf of @step-security-bot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Backports GitHub Actions tag hardening to pin mutable workflow action references to immutable SHAs in the release/v7.6.1 CI workflows.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by cherry-picking onto release/v7.6.1, resolving workflow conflicts by preserving the release-branch workflow structure and pinning the existing action versions to immutable SHAs, then confirming the staged diffs were limited to the intended action hardening updates. No local workflow run was performed; CI on the backport PR will validate the workflows.
Risk
REQUIRED: Check exactly one box.
Medium risk because the change affects multiple CI workflows and reusable workflow references, which can break automation if pinned incorrectly. The resolution preserved the release branch workflow structure and applied only the intended tag hardening changes.
Merge Conflicts
Conflicts occurred in .github/workflows/labels.yml, .github/workflows/linux-ci.yml, .github/workflows/macos-ci.yml, .github/workflows/verify-markdown-links.yml, .github/workflows/windows-ci.yml, .github/workflows/windows-packaging-reusable.yml, and .github/workflows/xunit-tests.yml. The release branch used older major versions of several actions than main. Resolved by keeping the release-branch workflow structure and pinning those existing action versions to immutable SHAs instead of upgrading action major versions as part of this backport.