Skip to content

ci: pin GitHub Actions to full commit SHAs to prevent supply-chain attacks#780

Open
XananasX7 wants to merge 1 commit into
cohere-ai:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha
Open

ci: pin GitHub Actions to full commit SHAs to prevent supply-chain attacks#780
XananasX7 wants to merge 1 commit into
cohere-ai:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha

Conversation

@XananasX7

@XananasX7 XananasX7 commented Jun 28, 2026

Copy link
Copy Markdown

Summary

Pins all GitHub Actions in the CI workflow to full commit SHAs instead of mutable version tags.

Vulnerability

Using mutable tags like @v3, @v4, @v1 means the action code can change without any notice — a compromised or malicious update to the action repository could silently alter what runs in CI. This is a common supply-chain attack vector (see tj-actions/changed-files incident).

Changes

Action Before After
actions/checkout @v3 @f43a0e5 (v3)
actions/setup-python @v4 @7f4fc3e (v4)
snok/install-poetry @v1 @a783c32 (v1)

All pins point to the exact same version as before — behaviour is unchanged. The human-readable version comment is kept for readability.

References


Note

Low Risk
CI-only supply-chain hardening; no application, auth, or data-path changes.

Overview
Hardens CI by replacing mutable action tags (@v3, @v4, @v1) with immutable full commit SHAs for actions/checkout, actions/setup-python, and snok/install-poetry in the compile, test, and publish jobs in .github/workflows/ci.yml.

Each pin keeps a version comment (e.g. # v3) so upgrades stay readable. Runtime behavior is unchanged—the SHAs match the same releases that were referenced by the tags before.

Reviewed by Cursor Bugbot for commit b407fb7. Bugbot is set up for automated code reviews on this repo. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant