[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags#27244
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
daxian-dbw
added
the
CL-BuildPackaging
There was a problem hiding this comment.
Pull request overview
Backport to release/v7.4.15 that hardens GitHub Actions usage by replacing mutable uses: <action>@v... references with pinned commit SHAs across CI workflows and composite actions.
Changes:
- Pin
actions/checkout,actions/setup-dotnet,actions/upload-artifact,actions/download-artifact, andactions/github-scriptreferences to full commit SHAs (with inline version comments). - Update multiple platform CI workflows (Linux/macOS/Windows) and reusable workflows (xUnit, packaging) to use the pinned references.
- Update composite actions under
.github/actions/**to use pinned action SHAs.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 9 comments.
Show a summary per file
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 1000 | ||
|
|
||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | ||
| with: |
There was a problem hiding this comment.
This change is described as a tag->SHA hardening backport, but it also upgrades action major versions (e.g., actions/checkout and actions/setup-dotnet are now pinned to v6.x/v5.x). If the intent is only to pin the previously-used versions, pin the commit for the existing tags (e.g. v4 for checkout, v4 for setup-dotnet) to avoid behavior changes on the release branch; otherwise please update the PR description/risk/testing notes to reflect the action version upgrades.
| @@ -64,7 +64,7 @@ jobs: | |||
| shell: pwsh | |||
|
|
|||
| - name: Setup .NET | |||
| uses: actions/setup-dotnet@v4 | |||
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |||
| with: | |||
There was a problem hiding this comment.
This workflow is claimed to only harden tags, but actions/checkout and actions/setup-dotnet are being upgraded to newer major versions (v6.x / v5.x) as part of the pinning. For a release-branch backport, consider pinning SHAs that correspond to the existing major versions (checkout v5, setup-dotnet v4) unless the major upgrade is intentional and explicitly called out/tested.
| - name: checkout | ||
| uses: actions/checkout@v4.1.0 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
There was a problem hiding this comment.
The PR description says this backport only replaces mutable tags with pinned SHAs, but this workflow effectively upgrades actions/checkout (from v4.1.0 to v6.x per the inline version comment). If the upgrade is intentional, please document it and ensure CI coverage; otherwise pin the SHA for the existing v4.1.0 (or v4) checkout version to keep behavior unchanged on the release branch.
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This change upgrades actions/checkout from @v4 to a SHA annotated as # v6.0.2, which is more than tag hardening and could introduce behavioral changes. Consider pinning the SHA for the existing v4 release (or update the PR description/testing notes to explicitly include the major upgrade).
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v4.1.0 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
There was a problem hiding this comment.
This workflow is described as a tag->SHA hardening backport, but it also upgrades actions/checkout to v6.x (per the inline comment). For release/v7.4.15, consider pinning the SHA for the previously used checkout major version unless the upgrade is intentional and explicitly called out/tested.
| - name: checkout | ||
| uses: actions/checkout@v5 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| fetch-depth: 1000 | ||
| - uses: actions/setup-dotnet@v4 | ||
| - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | ||
| with: | ||
| global-json-file: ./global.json |
There was a problem hiding this comment.
In the packaging job, actions/setup-dotnet is being upgraded (previously @v4, now pinned as # v5.2.0). If this backport is intended to only pin existing versions, pin a commit corresponding to the existing v4 tag; otherwise please call out the major upgrade and ensure it’s covered by CI for this release branch.
| @@ -240,4 +240,4 @@ jobs: | |||
| if: always() | |||
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 | |||
There was a problem hiding this comment.
This PR aims to harden action references by pinning to immutable SHAs, but ready_to_merge still references PowerShell/compliance by a mutable tag (@v1.0.0). To fully harden dependencies, pin this reusable workflow to a full commit SHA as well (and keep the # v1.0.0 comment if desired).
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@v1.0.0 | |
| uses: PowerShell/compliance/.github/workflows/ready-to-merge.yml@<FULL_40_CHARACTER_COMMIT_SHA> # v1.0.0 |
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
This workflow is claimed to only harden tags, but it upgrades actions/checkout across multiple jobs (previously a mix of v4/v5 tags, now pinned as # v6.0.2). For a release-branch backport, consider pinning SHAs that correspond to the existing major versions unless the upgrade is intentional and explicitly documented/tested.
There was a problem hiding this comment.
This workflow update goes beyond tag hardening: actions/checkout moves from @v2 to a SHA annotated as # v6.0.2, and actions/github-script moves from @v6 to # v8.0.0. If these major upgrades are intentional, please update the backport description/testing notes accordingly; otherwise pin SHAs corresponding to the previously used major versions to minimize behavior change on the release branch.
Backport of #27201 to release/v7.4.15
Triggered by @daxian-dbw on behalf of @step-security-bot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Hardens GitHub Actions usage on release/v7.4.15 by replacing mutable action tag references with pinned commit SHAs. The backport preserves the release-branch workflow structure and carries over only the SHA pinning updates from the original PR.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
Verified by completing the cherry-pick on release/v7.4.15, reviewing the staged diff to confirm the backport only changes action references from version tags to pinned SHAs, and confirming the worktree is clean after cherry-pick completion. No local workflow execution was run; CI will validate behavior on the backport PR.
Risk
REQUIRED: Check exactly one box.
This touches CI/build workflow infrastructure across multiple reusable workflows and action definitions. The risk is mitigated because the backport is narrowly scoped to immutable action pin updates only, with release-branch-specific runner and workflow structure intentionally preserved.
Merge Conflicts
Conflicts occurred in .github/workflows/labels.yml, .github/workflows/linux-ci.yml, .github/workflows/macos-ci.yml, .github/workflows/verify-markdown-links.yml, .github/workflows/windows-ci.yml, .github/workflows/windows-packaging-reusable.yml, and .github/workflows/xunit-tests.yml. Resolution preserved the release/v7.4.15 workflow content and applied only the original PR's @v... to @ action reference changes. Higher-version main-branch workflow differences such as runner upgrades were not brought into the backport.