[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags#27243
[release/v7.4.15] [StepSecurity] ci: Harden GitHub Actions tags#27243daxian-dbw wants to merge 1 commit intoPowerShell:release/v7.4.15PowerShell/PowerShell:release/v7.4.15from daxian-dbw:backport/release/v7.4.15/27201-34375e905daxian-dbw/PowerShell:backport/release/v7.4.15/27201-34375e905Copy head branch name to clipboard
Conversation
Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
There was a problem hiding this comment.
Pull request overview
Backport of StepSecurity hardening changes to release/v7.4.15 by pinning GitHub Actions (and related reusable workflow) references to immutable commit SHAs across CI workflows and composite actions to reduce supply-chain risk.
Changes:
- Pin
actions/*,github-script, andcodeql-actionreferences to full commit SHAs across workflows and composite actions. - Adjust CI workflow behavior/config (path filters, concurrency grouping, environment variables) alongside the ref pinning.
- Update macOS CI runner labels to
macos-15-largeinmacos-ci.yml.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 15 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/xunit-tests.yml |
Pins checkout/setup-dotnet/upload-artifact to SHA in reusable xUnit workflow. |
.github/workflows/windows-packaging-reusable.yml |
Pins checkout/setup-dotnet/upload-artifact to SHA in reusable Windows packaging workflow. |
.github/workflows/windows-ci.yml |
Pins checkout to SHA and updates CI conditions/config (also passes GITHUB_TOKEN to composite test action). |
.github/workflows/verify-markdown-links.yml |
Pins checkout to SHA for link verification workflow. |
.github/workflows/macos-ci.yml |
Pins checkout/setup-dotnet/upload-artifact to SHA and changes runner label to macos-15-large (also passes GITHUB_TOKEN to composite test action). |
.github/workflows/linux-ci.yml |
Pins checkout to SHA and updates CI conditions/config (also passes GITHUB_TOKEN to composite test action; CodeQL dependency commented out in ready_to_merge). |
.github/workflows/labels.yml |
Pins checkout and github-script to SHA for label enforcement workflow. |
.github/workflows/copilot-setup-steps.yml |
Pins checkout to SHA for Copilot setup workflow. |
.github/workflows/analyze-reusable.yml |
Pins setup-dotnet (and already-pinned checkout/codeql) to SHA in CodeQL reusable workflow. |
.github/actions/test/windows/action.yml |
Pins download-artifact/setup-dotnet in Windows composite test action. |
.github/actions/test/process-pester-results/action.yml |
Pins upload-artifact in Pester results processing composite action. |
.github/actions/test/nix/action.yml |
Pins download-artifact/setup-dotnet/github-script in non-Windows composite test action. |
.github/actions/test/linux-packaging/action.yml |
Pins setup-dotnet/upload-artifact in Linux packaging composite action (download-artifact still tag-based). |
.github/actions/infrastructure/path-filters/action.yml |
Pins github-script in path filter composite action. |
.github/actions/infrastructure/get-changed-files/action.yml |
Pins github-script in changed-files composite action. |
.github/actions/build/ci/action.yml |
Pins setup-dotnet/upload-artifact in CI build composite action. |
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: UnelevatedPesterTests | ||
| tagSet: CI | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: ElevatedPesterTests | ||
| tagSet: CI | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: UnelevatedPesterTests | ||
| tagSet: Others | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: ElevatedPesterTests | ||
| tagSet: Others | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/windows" | ||
| with: | ||
| purpose: UnelevatedPesterTests | ||
| tagSet: CI | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/windows doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: UnelevatedPesterTests | ||
| tagSet: Others | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| uses: "./.github/actions/test/nix" | ||
| with: | ||
| purpose: ElevatedPesterTests | ||
| tagSet: Others | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
./.github/actions/test/nix doesn't declare a GITHUB_TOKEN input (it only defines purpose, tagSet, ctrfFolder). Passing GITHUB_TOKEN here will be treated as an unexpected/ignored input and can generate warnings; remove it or add a declared input in the composite action and plumb it through to the steps that need it.
| ci_build: | ||
| name: Build PowerShell | ||
| runs-on: macos-latest | ||
| runs-on: macos-15-large | ||
| needs: changes |
There was a problem hiding this comment.
This backport PR is described as pinning action refs, but the macOS workflow also changes runner labels from macos-latest to macos-15-large. Please confirm this runner change is intended for release/v7.4.15 and update the PR description (or revert) since it can affect toolchain/OS behavior and CI stability.
| - name: Upload deb packages | ||
| uses: actions/upload-artifact@v4 | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: packages-deb | ||
| path: ${{ runner.workspace }}/packages/*.deb | ||
| if-no-files-found: ignore |
There was a problem hiding this comment.
This file pins upload-artifact, but it still uses an unpinned tag (actions/download-artifact@v4) earlier in the workflow. Since the PR goal is to harden/pin action refs, consider pinning the download-artifact reference to an immutable SHA as well for consistency.
| - linux_test_unelevated_others | ||
| - analyze | ||
| - linux_packaging | ||
| - merge_conflict_check | ||
| - infrastructure_tests | ||
| # - analyze |
There was a problem hiding this comment.
ready_to_merge no longer depends on the Linux CodeQL analyze job (it's commented out). This is a functional/security behavior change, but the PR description says the edits are limited to action ref pinning and preserve workflow behavior. Please confirm whether CodeQL is intended to be disabled on Linux in this backport; if so, update the PR description and ensure there’s a tracked follow-up to re-enable it, otherwise restore the job/dependency.
Backport of #27201 to release/v7.4.15
Triggered by @daxian-dbw on behalf of @step-security-bot
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Pins mutable GitHub Action tags to immutable SHA references across CI and reusable workflow definitions on release/v7.4.15 to reduce supply-chain risk in release automation.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
The backport was retried from a clean release/v7.4.15 base. Cherry-pick conflicts in the workflow files were resolved by taking the PR's higher-version SHA-pinned action references in the conflicted files, and the resulting backport commit completed successfully. CI on the backport PR will validate the updated workflows.
Risk
REQUIRED: Check exactly one box.
Medium risk because the change touches a broad set of CI and reusable workflow definitions, but the edits are limited to action reference pinning and preserve existing workflow behavior while hardening dependencies.
Merge Conflicts
Resolved conflicts in labels.yml, linux-ci.yml, macos-ci.yml, verify-markdown-links.yml, windows-ci.yml, windows-packaging-reusable.yml, and xunit-tests.yml by accepting the PR versions of the conflicted workflow files so the higher-version SHA-pinned action references were preserved.