Pinning GitHub Actions by full SHA

This lesson preview is part of the Bundling and Automation in Monorepos course and can be unlocked immediately with a \newline Pro subscription or a single-time purchase. Already have access to this course? Log in here.

This video is available to students only

Unlock This Course

Get unlimited access to Bundling and Automation in Monorepos, plus 90+ \newline books, guides and courses with the \newline Pro subscription.

$Thumbnail for the \newline course Bundling and Automation in Monorepos$

[00:00 - 00:19] The next thing that I want to do is I want to increase the security of our workflow. Right now, we're pinning actions by their tag, the V5 tag for checkout, and similarly, in our pnpm action we specify tags v4.1.0 and v5.0.0.

[00:20 - 00:41] This is okay, but if you want absolute certainty that someone isn't going to publish a malicious tag for an action that you're using, you should be using hashes. If we go to GitHub's own documentation on third party actions, they recommend pinning on full commit hashes.

[00:42 - 00:50] So let's quickly find the commit hashes for our actions. The first one is actions/checkout version v5.0.0.

[00:51 - 01:29] We can go to the commit and then just grab the commit hash from here where it says "Copy foo SHA". You can then go in here and specify @ the commit hash, and then it's a good practice to then have a comment afterwards that says what version this is. Let me replace this everywhere where we're using checkout like this. So that we have the hash and let me go to our pnpm action.

[01:30 - 01:34] Let's look at pnpm/action-setup. Current release is v4.1.0.

[01:35 - 01:56] Again go to that specific commit, copy the full SHA and in here turn this into a command and replace the version with the SHA. And finally for actions/setup-node, go to the commit and copy the full SHA.

[01:57 - 02:13] So now I'm going to create a branch called full-sha-for-github-actions. Add my changes. Commit this as "Full SHA for GitHub actions used as version".

[02:14 - 02:28] Push to... Push this to a branch on GitHub. Open the pull request and let's see if they get anything wrong, or is this going to work from the first try?

[02:29 - 02:44] Seems like everything works as expected. actions/checkout by SHA correctly checks out and in our own actions pnpm action we are using again the SHA for setup-pnpm and for setup-node.

[02:45 - 02:57] With these changes in place, our workflow is more secure. I'm going to merge this commit and this is going to be everything for this lesson.

[02:58 - 02:59] See you in the next one.