Skip to content

chore: pin third-party GitHub Actions to commit SHAs#172

Merged
adekbadek merged 2 commits into
mainfrom
chore/pin-and-enable-dependabot
Jun 10, 2026
Merged

chore: pin third-party GitHub Actions to commit SHAs#172
adekbadek merged 2 commits into
mainfrom
chore/pin-and-enable-dependabot

Conversation

@mahangu

@mahangu mahangu commented May 31, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Pins third-party GitHub Actions in Newspack workspace workflows to immutable commit SHAs. Dependabot GitHub Actions coverage already exists in this repo, so this PR leaves the Dependabot config unchanged.

Tracking: DEVPROD-1072

Verification commands:

# pnpm/action-setup # v4.3.0 -> b906affcce14559ad1aafd4ab0e942779e9f58b1
gh api repos/pnpm/action-setup/commits/v4.3.0 --jq '.sha'
# expected: b906affcce14559ad1aafd4ab0e942779e9f58b1

# shivammathur/setup-php # 2.37.1 -> 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc
gh api repos/shivammathur/setup-php/commits/2.37.1 --jq '.sha'
# expected: 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc

# dependabot/fetch-metadata # v2.5.0 -> 21025c705c08248db411dc16f3619e6b5f9ea21a
gh api repos/dependabot/fetch-metadata/commits/v2.5.0 --jq '.sha'
# expected: 21025c705c08248db411dc16f3619e6b5f9ea21a

# thollander/actions-comment-pull-request # v3.0.1 -> 24bffb9b452ba05a4f3f77933840a6a841d1b32b
gh api repos/thollander/actions-comment-pull-request/commits/v3.0.1 --jq '.sha'
# expected: 24bffb9b452ba05a4f3f77933840a6a841d1b32b

@mahangu mahangu requested a review from a team as a code owner May 31, 2026 10:24
mahangu pushed a commit to Automattic/newspack-ads that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
3108a59 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
mahangu pushed a commit to Automattic/newspack-blocks that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
04de206 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
mahangu pushed a commit to Automattic/newspack-listings that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
67ee0d8 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
mahangu pushed a commit to Automattic/newspack-multibranded-site that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
6b2c393 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
mahangu pushed a commit to Automattic/newspack-network that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
7dd3c9d 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
mahangu pushed a commit to Automattic/newspack-newsletters that referenced this pull request May 31, 2026
@lastnode
chore: correct thollander v3 SHA (hygiene fix on closed PR branch)
bdaa96f 
Updates the branch HEAD so the closed PR's files-changed view shows the
correct SHA. Repo is auto-closed legacy/mirror so no merge will happen
here; canonical fix is in Automattic/newspack-workspace#172.

Tracking: DEVPROD-1072
@mahangu mahangu force-pushed the chore/pin-and-enable-dependabot branch from 63cc829 to 02544bb Compare June 8, 2026 13:38
@mahangu mahangu changed the title chore: pin third-party GitHub Actions to SHAs + enable Dependabot chore: pin third-party GitHub Actions to commit SHAs Jun 8, 2026
@github-actions github-actions Bot added the [Status] Approved Pull request has been approved label Jun 10, 2026
Copilot AI review requested due to automatic review settings June 10, 2026 07:53
@adekbadek adekbadek enabled auto-merge (squash) June 10, 2026 07:53
@adekbadek adekbadek merged commit b04fe88 into main Jun 10, 2026
8 checks passed
@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

Hey @mahangu, good job getting this PR merged! 🎉

Now, the needs-changelog label has been added to it.

Please check if this PR needs to be included in the "Upcoming Changes" and "Release Notes" doc. If it doesn't, simply remove the label.

If it does, please add an entry to our shared document, with screenshots and testing instructions if applicable, then remove the label.

Thank you! ❤️

Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions security posture by pinning third-party actions used in workspace workflows to immutable commit SHAs (while keeping Dependabot GitHub Actions updates in place).

Changes:

  • Pin pnpm/action-setup usages to b906affcce14559ad1aafd4ab0e942779e9f58b1 (v4.3.0).
  • Pin shivammathur/setup-php usages to 7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc (2.37.1).
  • Pin dependabot/fetch-metadata and thollander/actions-comment-pull-request to their respective commit SHAs.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/sync-legacy.yml Pins pnpm/action-setup to a commit SHA for the legacy sync workflow.
.github/workflows/release.yml Pins pnpm/action-setup and shivammathur/setup-php to commit SHAs for release automation.
.github/workflows/publish-baseline-releases.yml Pins pnpm/action-setup and shivammathur/setup-php to commit SHAs for baseline release publishing.
.github/workflows/ci.yml Pins pnpm/action-setup and shivammathur/setup-php to commit SHAs across CI jobs.
.github/workflows/changelog.yml Pins thollander/actions-comment-pull-request to a commit SHA for PR commenting.
.github/workflows/auto-merge.yml Pins dependabot/fetch-metadata to a commit SHA for Dependabot automerge.
.github/workflows/_release-wporg.yml Pins pnpm/action-setup and shivammathur/setup-php to commit SHAs for WP.org deployment.

@adekbadek adekbadek deleted the chore/pin-and-enable-dependabot branch June 10, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@adekbadek adekbadek adekbadek approved these changes

Assignees

No one assigned

Labels

needs-changelog [Status] Approved Pull request has been approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mahangu @adekbadek