Skip to content

chore: pin GitHub Actions to commit SHAs [skip deploy]#6

Open
scottybarr wants to merge 1 commit intomasterfrom
pin-actions/2026-04-29
Open

chore: pin GitHub Actions to commit SHAs [skip deploy]#6
scottybarr wants to merge 1 commit intomasterfrom
pin-actions/2026-04-29

Conversation

@scottybarr
Copy link
Copy Markdown

@scottybarr scottybarr commented Apr 29, 2026

Pin GitHub Actions to commit SHAs

This PR is part of a proactive security hardening effort across all Wealthsimple repositories.

Pinning Actions to specific commit SHAs prevents supply chain attacks where a mutable tag (e.g. @v1) could be silently updated to inject malicious code into CI. Each action has been upgraded to the latest release older than 5 days and pinned to its commit SHA. The original tag is preserved as an inline comment for readability.

Pinned Actions

Action Tag SHA (short)
actions/checkout v6.0.2 de0fac2e
ruby/setup-ruby v1.305.0 0cb964fd

Files Changed

  • .github/workflows/ci.yml

@scottybarr
chore: pin GitHub Actions to SHAs [skip deploy]
6be990f 
Pins the following actions to their latest safe release (>5 days old):
- actions/checkout: pinned to v6.0.2 (de0fac2e)
- ruby/setup-ruby: pinned to v1.305.0 (0cb964fd)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Opheliar-WS Opheliar-WS Opheliar-WS approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@scottybarr @Opheliar-WS