[release/v7.6.1] [StepSecurity] ci: Harden GitHub Actions tags by daxian-dbw · Pull Request #27236 · PowerShell/PowerShell · GitHub
Skip to content

[release/v7.6.1] [StepSecurity] ci: Harden GitHub Actions tags #27236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
daxian-dbw merged 3 commits into from
Apr 9, 2026
Merged

[release/v7.6.1] [StepSecurity] ci: Harden GitHub Actions tags #27236

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
052182b
[StepSecurity] ci: Harden GitHub Actions (#27201)
step-security-bot Apr 7, 2026
1e012c3
Adjust #27201 backport to use incoming action SHAs
daxian-dbw Apr 9, 2026
9d764ec
Fix errors in conflict resolution and add ending newlines
daxian-dbw Apr 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/build/ci/action.yml
View file
Open in desktop
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/get-changed-files/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:
steps:
- name: Get changed files
id: get-files
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
with:
script: |
const eventTypes = '${{ inputs.event-types }}'.split(',').map(t => t.trim());
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/infrastructure/path-filters/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ runs:

- name: Check if GitHubWorkflowChanges is present
id: filter
uses: actions/github-script@v7.0.1
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
env:
FILES_JSON: ${{ steps.get-files.outputs.files }}
with:
Expand Down
8 changes: 4 additions & 4 deletions .github/actions/test/linux-packaging/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ runs:
Show-Environment
shell: pwsh

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Comment on lines +14 to 17
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While actions/setup-dotnet is now pinned, this composite action still references actions/download-artifact@v4 later in the file via a mutable tag. To fully harden action dependencies, pin actions/download-artifact to an immutable commit SHA as well.

Copilot uses AI. Check for mistakes.
Expand Down Expand Up @@ -97,21 +97,21 @@ runs:
shell: pwsh

- name: Upload deb packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-deb
path: ${{ runner.workspace }}/packages/*.deb
if-no-files-found: ignore

- name: Upload rpm packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-rpm
path: ${{ runner.workspace }}/packages/*.rpm
if-no-files-found: ignore

- name: Upload tar.gz packages
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: packages-tar
path: ${{ runner.workspace }}/packages/*.tar.gz
Expand Down
6 changes: 3 additions & 3 deletions .github/actions/test/nix/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -42,7 +42,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: ./global.json

Expand Down Expand Up @@ -101,7 +101,7 @@ runs:
Write-LogGroupEnd -Title 'Bootstrap'

- name: Extract Files
uses: actions/github-script@v7.0.0
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
env:
DESTINATION_FOLDER: "${{ github.workspace }}/bins"
ARCHIVE_FILE_PATTERNS: "${{ github.workspace }}/build/build.zip"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/test/process-pester-results/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ runs:

- name: Upload testResults artifact
if: always()
uses: actions/upload-artifact@v4
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: junit-pester-${{ inputs.name }}
path: ${{ runner.workspace }}/testResults
4 changes: 2 additions & 2 deletions .github/actions/test/windows/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ runs:
shell: pwsh

- name: Download Build Artifacts
uses: actions/download-artifact@v4
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
path: "${{ github.workspace }}"

Expand All @@ -42,7 +42,7 @@ runs:
Write-LogGroupEnd -Title 'Artifacts Directory'
shell: pwsh

- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
with:
global-json-file: .\global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/analyze-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:
with:
fetch-depth: '0'

- uses: actions/setup-dotnet@v5
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
# You can define any steps you want, and they will run before the agent starts.
# If you do not check out your code, Copilot will do this for you.
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/labels.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,11 @@ jobs:

steps:
- name: Check out the repository
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Verify PR has label starting with 'cl-'
id: verify-labels
uses: actions/github-script@v8
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
const labels = context.payload.pull_request.labels.map(label => label.name.toLowerCase());
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/linux-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

Expand All @@ -76,7 +76,7 @@ jobs:
contents: read
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Check for merge conflict markers
uses: "./.github/actions/infrastructure/merge-conflict-checker"
Expand All @@ -88,7 +88,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000

Expand All @@ -103,7 +103,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated CI
Expand All @@ -121,7 +121,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated CI
Expand All @@ -139,7 +139,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Unelevated Others
Expand All @@ -157,7 +157,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Linux Elevated Others
Expand All @@ -181,7 +181,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1

Expand Down Expand Up @@ -238,7 +238,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Linux Packaging
Expand Down
18 changes: 9 additions & 9 deletions .github/workflows/macos-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
packagingChanged: ${{ steps.filter.outputs.packagingChanged }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Change Detection
id: filter
Expand All @@ -72,7 +72,7 @@ jobs:
if: ${{ needs.changes.outputs.source == 'true' || needs.changes.outputs.buildModuleChanged == 'true' }}
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: Build
Expand All @@ -86,7 +86,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated CI
Expand All @@ -104,7 +104,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated CI
Expand All @@ -122,7 +122,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Unelevated Others
Expand All @@ -140,7 +140,7 @@ jobs:
runs-on: macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- name: macOS Elevated Others
Expand All @@ -167,10 +167,10 @@ jobs:
- macos-15-large
steps:
- name: checkout
uses: actions/checkout@v5
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1000
- uses: actions/setup-dotnet@v4
- uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
global-json-file: ./global.json
- name: Bootstrap packaging
Expand Down Expand Up @@ -229,7 +229,7 @@ jobs:
testResultsFolder: "${{ runner.workspace }}/testResults"
- name: Upload package artifact
if: always()
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: macos-package
path: "*.pkg"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/verify-markdown-links.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

- name: Verify markdown links
id: verify
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/windows-ci.yml
View file
Open in desktop
Loading
Loading