Skip to content

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#4190

Open
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha
Open

ci: pin all GitHub Actions to full commit SHAs to prevent supply-chain attacks#4190
XananasX7 wants to merge 1 commit into
microsoft:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Pins 415 GitHub Action references across 118 workflow files to full immutable commit SHAs.

Vulnerability

All CI workflows currently use mutable version tags (@v1, @v2, @v3, @v4, @v5) for GitHub Actions. A compromised action repository (or a tag force-push) could silently deliver malicious code into Microsoft's CI pipeline, with access to Azure credentials (azure/login), release publishing tokens, and test secrets.

This is the same attack class used in the tj-actions/changed-files supply chain compromise (March 2025) which affected thousands of repositories.

Actions pinned

Action Tags pinned
actions/checkout v2, v3, v4
actions/setup-python v2, v5
actions/upload-artifact v3, v4
actions/download-artifact v3, v4
actions/github-script v7
actions/create-release v1
actions/upload-release-asset v1
azure/login v1
microsoft/setup-msbuild v1.1
EnricoMi/publish-unit-test-result-action v2
irongut/CodeCoverageSummary v1.3.0
SimenB/github-actions-cpu-cores v1
snok/install-poetry v1

All pins point to the exact same code as the current tags — no behaviour change.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant