[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags#27241
[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags#27241daxian-dbw wants to merge 1 commit intoPowerShell:release/v7.4.15PowerShell/PowerShell:release/v7.4.15from daxian-dbw:backport/release/v7.4.15/27201-34375e905daxian-dbw/PowerShell:backport/release/v7.4.15/27201-34375e905Copy head branch name to clipboard
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
There was a problem hiding this comment.
Pull request overview
Backport of StepSecurity hardening to release/v7.4.15, updating GitHub Actions/workflow references to use immutable commit SHAs to reduce supply-chain risk in CI and reusable workflows.
Changes:
- Replaces multiple
uses: org/action@v*references withuses: org/action@<full_sha> # vX.Y.Z. - Updates common CI workflows (Linux/macOS/Windows) and reusable workflows to use SHA-pinned
actions/checkoutandactions/setup-dotnet. - Pins several composite action dependencies (
download-artifact,upload-artifact,github-script) to SHAs.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/xunit-tests.yml | Pins checkout/.NET setup action references for reusable xUnit workflow. |
| .github/workflows/windows-packaging-reusable.yml | Pins checkout/.NET setup action references for reusable Windows packaging workflow. |
| .github/workflows/windows-ci.yml | Pins checkout action references across Windows CI jobs; minor formatting adjustment in ready_to_merge inputs. |
| .github/workflows/verify-markdown-links.yml | Pins checkout for markdown link verification workflow. |
| .github/workflows/macos-ci.yml | Pins checkout across macOS CI jobs and pins .NET setup in packaging section. |
| .github/workflows/linux-ci.yml | Pins checkout across Linux CI jobs. |
| .github/workflows/labels.yml | Pins checkout and github-script used for PR label validation workflow. |
| .github/workflows/copilot-setup-steps.yml | Pins checkout for Copilot setup workflow. |
| .github/workflows/analyze-reusable.yml | Pins setup-dotnet in CodeQL reusable workflow. |
| .github/actions/test/windows/action.yml | Pins artifact download and .NET setup used in Windows test composite action. |
| .github/actions/test/process-pester-results/action.yml | Pins artifact upload used for publishing Pester results. |
| .github/actions/test/nix/action.yml | Pins artifact download, .NET setup, and github-script used in non-Windows test composite action. |
| .github/actions/test/linux-packaging/action.yml | Pins .NET setup and artifact uploads in Linux packaging composite action. |
| .github/actions/infrastructure/path-filters/action.yml | Pins github-script used in path filter composite action. |
| .github/actions/infrastructure/get-changed-files/action.yml | Pins github-script used to enumerate changed files. |
| .github/actions/build/ci/action.yml | Pins .NET setup and artifact upload in CI build composite action. |
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This change isn’t only pinning the existing actions/checkout tag; it also changes the referenced version from @v4 to a SHA labeled v6.0.2 (major bump). For a release-branch backport, consider pinning the SHA for the same major version previously used (or explicitly call out the intentional major upgrade in the PR description).
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
|
|
||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 |
There was a problem hiding this comment.
This updates actions/setup-dotnet from @v4 to a SHA labeled v5.2.0 (major version change). If the goal is strictly tag hardening, pin the SHA for the previously used major version to avoid unexpected behavior changes on the release branch.
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |
| uses: actions/setup-dotnet@v4 |
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v5 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This actions/checkout update changes from @v5 to a SHA labeled v6.0.2 (major bump). If the intent is only to pin, consider using the SHA for the existing major version to minimize workflow behavior changes on a release branch.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 |
|
|
||
| - name: Setup .NET | ||
| uses: actions/setup-dotnet@v4 | ||
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 |
There was a problem hiding this comment.
This changes actions/setup-dotnet from @v4 to a SHA labeled v5.2.0 (major version change). If you want this PR to be a pure hardening backport, pin to the SHA for the existing v4.x release instead; otherwise document the intentional upgrade and verify it against global.json/tooling expectations for this branch.
| uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |
| uses: actions/setup-dotnet@v4 |
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This changes actions/checkout from @v4 to a SHA labeled v6.0.2 (major bump). If the objective is only to pin tags, consider pinning the SHA for the same major version previously used to avoid unexpected workflow behavior changes.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 |
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v4.1.0 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
|
|
There was a problem hiding this comment.
This updates actions/checkout from @v4.1.0 to a SHA labeled v6.0.2 (major bump). For a release-branch backport intended to pin tags, consider pinning to the SHA for the same major/minor version previously used (or document the intentional major upgrade).
| with: | ||
| fetch-depth: 1000 | ||
| - uses: actions/setup-dotnet@v4 | ||
| - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 |
There was a problem hiding this comment.
This step changes actions/setup-dotnet from @v4 to a SHA labeled v5.2.0 (major version change). If the goal is tag hardening only, pin to a v4.x SHA instead to avoid behavior changes in release-branch packaging.
| - uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0 | |
| - uses: actions/setup-dotnet@3a4f6e1af504cf6a31855e1d347c7c1f6df7b3a5 # v4.1.0 |
| steps: | ||
| - name: checkout | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false |
There was a problem hiding this comment.
This updates actions/checkout from @v4 to a SHA labeled v6.0.2 (major bump). For a release-branch backport that’s meant to harden tags, prefer pinning the SHA for the same major version previously used (or explicitly justify the major upgrade).
| steps: | ||
| - name: Check out the repository | ||
| uses: actions/checkout@v2 | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
There was a problem hiding this comment.
This changes actions/checkout from @v2 to a SHA labeled v6.0.2 (major bump). If the intention is only to pin tags, pin to the SHA for the previously used major version to reduce the chance of workflow behavior changes on this release branch.
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| uses: actions/checkout@v2 |
| - name: Verify PR has label starting with 'cl-' | ||
| id: verify-labels | ||
| uses: actions/github-script@v6 | ||
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 |
There was a problem hiding this comment.
This updates actions/github-script from @v6 to a SHA labeled v8.0.0 (major bump). If the goal is strictly action pinning, pin to a SHA for the existing major version instead; otherwise note the intentional major upgrade and confirm compatibility with the current script API surface.
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| uses: actions/github-script@v6 |
Backport of #27201 to release/v7.4.15
Triggered by @daxian-dbw on behalf of @step-security-bot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Pins mutable GitHub Action tags to immutable SHA references across CI and reusable workflow definitions on release/v7.4.15, reducing supply-chain risk in the release automation path.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
The backport cherry-pick completed on top of the updated release/v7.4.15 branch after resolving workflow conflicts. The resolved files keep the PR's SHA-pinned action references in the conflicted locations while preserving release-branch-specific workflow structure. CI on the backport PR will validate the affected build, test, and workflow paths.
Risk
REQUIRED: Check exactly one box.
Medium risk because the change touches a broad set of CI and reusable workflow definitions, but the edits are limited to action reference pinning and preserve the existing release-branch workflow behavior.
Merge Conflicts
Resolved conflicts in labels.yml, linux-ci.yml, macos-ci.yml, verify-markdown-links.yml, windows-ci.yml, windows-packaging-reusable.yml, and xunit-tests.yml by preserving the release/v7.4.15 workflow structure and accepting the PR's SHA-pinned action references where the conflicts occurred. File endings were preserved with trailing newlines.