gha: Pin third-party actions to commit hashes

A popular third-party action has recently been compromised [1][2] and the attacker managed to point multiple git version tags to a malicious commit containing code to exfiltrate secrets. This PR follows GitHub's recommendation [3] to pin third-party actions to a full-length commit hash, to mitigate such attacks. Hopefully actionlint starts warning about this soon [4]. [1] https://www.cve.org/CVERecord?id=CVE-2025-30066 [2] https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised [3] https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions [4] https://github.com/rhysd/actionlint/pull/436 Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-15 05:49:05 +00:00 · 2025-03-17 12:23:15 -05:00
parent ba5b0777b5
commit a678046d13
24 changed files with 64 additions and 64 deletions
--- a/.github/workflows/commit-message-check.yaml
+++ b/.github/workflows/commit-message-check.yaml
@@ -26,7 +26,7 @@ jobs:
    - name: Get PR Commits
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
      id: 'get-pr-commits'
-      uses: tim-actions/get-pr-commits@v1.2.0
+      uses: tim-actions/get-pr-commits@c64db31d359214d244884dd68f971a110b29ab83 # v1.2.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        # Filter out revert commits
@@ -41,19 +41,19 @@ jobs:

    - name: DCO Check
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') }}
-      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20
+      uses: tim-actions/dco@2fd0504dc0d27b33f542867c300c60840c6dcb20 # master (2020-04-28)
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Commit Body Missing Check
      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-body-check@v1.0.2
+      uses: tim-actions/commit-body-check@d2e0e8e1f0332b3281c98867c42a2fbe25ad3f15 # v1.0.2
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}

    - name: Check Subject Line Length
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        pattern: '^.{0,75}(\n.*)*$'
@@ -62,7 +62,7 @@ jobs:

    - name: Check Body Line Length
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        # Notes:
@@ -93,7 +93,7 @@ jobs:

    - name: Check Subsystem
      if: ${{ (env.PR_AUTHOR != 'dependabot[bot]') && !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: tim-actions/commit-message-checker-with-regex@v0.3.1
+      uses: tim-actions/commit-message-checker-with-regex@d6d9770051dd6460679d1cab1dcaa8cffc5c2bbd # v0.3.1
      with:
        commits: ${{ steps.get-pr-commits.outputs.commits }}
        pattern: '^[\s\t]*[^:\s\t]+[\s\t]*:'