Skip to content

CI: Pin GitHub Actions to commit SHAs#155089

Open
Turbo87 wants to merge 1 commit into
rust-lang:mainfrom
Turbo87:pin-github-actions
Open

CI: Pin GitHub Actions to commit SHAs#155089
Turbo87 wants to merge 1 commit into
rust-lang:mainfrom
Turbo87:pin-github-actions

Conversation

@Turbo87

@Turbo87 Turbo87 commented Apr 10, 2026
edited
Loading

Copy link
Copy Markdown
Member

Pin all third-party actions to immutable commit SHAs, with the resolved version tag in a trailing comment. This prevents upstream tags from silently changing under us.

  • actions/checkout → v6.0.2
  • actions/upload-artifact → v7.0.0
  • actions/download-artifact → v4.3.0

actions/checkout is bumped from v5 to v6 at the same time. v6 stores the git credentials outside the working tree, so it can no longer be picked up by subsequent actions/upload-artifact steps (see "artipacked" link below).

See https://docs.zizmor.sh/audits/#unpinned-uses and https://docs.zizmor.sh/audits/#artipacked

@Turbo87
CI: Pin GitHub Actions to commit SHAs
913f017 
Pin all third-party actions to immutable commit SHAs, with the
resolved version tag in a trailing comment. This prevents upstream
tags from silently changing under us.

- actions/checkout          → v6.0.2
- actions/upload-artifact   → v7.0.0
- actions/download-artifact → v4.3.0

`actions/checkout` is bumped from v5 to v6 at the same time. v6
stores the git credentials outside the working tree, so it can no
longer be picked up by subsequent `actions/upload-artifact` steps.

See https://docs.zizmor.sh/audits/#unpinned-uses
and https://docs.zizmor.sh/audits/#artipacked
@rustbot rustbot added A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue. labels Apr 10, 2026
@rustbot

rustbot commented Apr 10, 2026

Copy link
Copy Markdown
Collaborator

r? @jdno

rustbot has assigned @jdno.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: infra-ci
  • infra-ci expanded to Kobzol, Mark-Simulacrum, jdno, jieyouxu, marcoieni
  • Random selection from Mark-Simulacrum, jdno, marcoieni

@bjorn3

bjorn3 commented Apr 10, 2026

Copy link
Copy Markdown
Member

I'm surprised official github actions don't use immutable releases yet.

@Turbo87

Turbo87 commented Apr 10, 2026

Copy link
Copy Markdown
Member Author

yeah, same, but unfortunately that seems to be the case. once they switch to immutable releases we can consider going back, although we would then still need to use the full version tags (v1.2.3 instead of v1) to take advantage.

@Turbo87

Turbo87 commented Apr 16, 2026

Copy link
Copy Markdown
Member Author

r? @marcoieni

@rustbot rustbot assigned marcoieni and unassigned jdno Apr 16, 2026
@marcoieni

marcoieni commented Apr 16, 2026

Copy link
Copy Markdown
Member

I think it's better to setup renovate and let it do this job. Otherwise we need to update these actions manually after we merge this. Or worse, these actions don't get updated.

@marcoieni

marcoieni commented Apr 16, 2026
edited
Loading

Copy link
Copy Markdown
Member

At the moment renovate isn't enabled in this repo.

So we should

  1. enable forking-renovate for this repo in the team repo
  2. Change https://github.com/rust-lang/rust/blob/main/.github/renovate.json5 to only update github actions

Wdyt?

@Turbo87

Turbo87 commented Apr 30, 2026

Copy link
Copy Markdown
Member Author

Wdyt?

sounds good to me, but at least the first step requires permissions that I don't have :D

@marcoieni

marcoieni commented Apr 30, 2026

Copy link
Copy Markdown
Member

you can raise a PR in the team repo 👍
https://github.com/rust-lang/team/blob/1ca47b16836646d7a5adfb38d4440d6a597a4b05/repos/rust-lang/team.toml#L4

@rust-bors

rust-bors Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

☔ The latest upstream changes (presumably #157586) made this pull request unmergeable. Please resolve the merge conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@marcoieni marcoieni

Labels

A-CI Area: Our Github Actions CI S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-infra Relevant to the infrastructure team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Turbo87 @rustbot @bjorn3 @marcoieni @jdno