[release/v7.4.15] Pin ready-to-merge.yml reusable workflow to commit SHA#27247
Merged
daxian-dbw merged 1 commit intoApr 9, 2026
PowerShell:release/v7.4.15PowerShell/PowerShell:release/v7.4.15from
daxian-dbw:backport/release/v7.4.15/27204-58b00b5bbdaxian-dbw/PowerShell:backport/release/v7.4.15/27204-58b00b5bbCopy head branch name to clipboard
Merged
[release/v7.4.15] Pin ready-to-merge.yml reusable workflow to commit SHA#27247daxian-dbw merged 1 commit intoPowerShell:release/v7.4.15PowerShell/PowerShell:release/v7.4.15from daxian-dbw:backport/release/v7.4.15/27204-58b00b5bbdaxian-dbw/PowerShell:backport/release/v7.4.15/27204-58b00b5bbCopy head branch name to clipboard
daxian-dbw merged 1 commit into
PowerShell:release/v7.4.15PowerShell/PowerShell:release/v7.4.15from
daxian-dbw:backport/release/v7.4.15/27204-58b00b5bbdaxian-dbw/PowerShell:backport/release/v7.4.15/27204-58b00b5bbCopy head branch name to clipboard
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Backports a CI security hardening change to the release/v7.4.15 branch by pinning the PowerShell/compliance reusable workflow ready-to-merge.yml to an immutable commit SHA (instead of the mutable v1.0.0 tag), reducing supply-chain risk from tag mutation.
Changes:
- Pin
PowerShell/compliance/.github/workflows/ready-to-merge.ymlfrom@v1.0.0to@c8b3ad5819ad7078f3e375519b4f8c6232d1cbdfin Linux CI. - Apply the same pinning change in Windows CI.
- Apply the same pinning change in macOS CI.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| .github/workflows/linux-ci.yml | Pins the ready-to-merge.yml reusable workflow to a commit SHA with a # v1.0.0 comment. |
| .github/workflows/windows-ci.yml | Pins the ready-to-merge.yml reusable workflow to a commit SHA with a # v1.0.0 comment. |
| .github/workflows/macos-ci.yml | Pins the ready-to-merge.yml reusable workflow to a commit SHA with a # v1.0.0 comment. |
adityapatwardhan
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #27204 to release/v7.4.15
Triggered by @daxian-dbw on behalf of @copilot-swe-agent
Original CL Label: CL-BuildPackaging
/cc @PowerShell/powershell-maintainers
Impact
REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.
Tooling Impact
Backports the security hardening change that pins the ready-to-merge.yml reusable workflow reference from the v1.0.0 tag to a specific commit SHA. Pinning CI workflow references to commit SHAs is a security best practice that prevents tag mutation attacks.
Customer Impact
Regression
REQUIRED: Check exactly one box.
This is not a regression.
Testing
No functional code changes — only CI YAML workflow file updates. Backport cherry-picked cleanly without conflicts.
Risk
REQUIRED: Check exactly one box.
Change is limited to three .github/workflows/ files. The only modification is pinning a uses: reference from a tag to a commit SHA. No code changes, no dependency changes, no breaking changes possible.