Skip to content

Pin actions/cache #143

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 17, 2025
Merged

Pin actions/cache #143

merged 1 commit into from
Oct 17, 2025

Conversation

@edgarrmondragon
Copy link
Contributor

@edgarrmondragon edgarrmondragon commented Oct 17, 2025

GitHub recently added support for requiring actions to be pinned to a full-length commit SHA1.

Their changelog doesn't mention that composite actions also fail if their own actions are not pinned, which is the case for this project.

Hope this makes sense. I added the commit SHAs using pinact run action.yml.

Footnotes

  1. https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/

@edgarrmondragon
Pin actions/cache
73f0a10 
GitHub recently added support for requiring actions to be pinned to a full-length commit SHA[^1].

Their changelog doesn't mention that composite actions also fail if their own actions are not pinned, which is the case for this project.

Hope this makes sense. I added the commit SHAs using [`pinact run action.yml`](https://github.com/suzuki-shunsuke/pinact).

[^1]: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
@adriencaccia adriencaccia merged commit 28d7fb8 into CodSpeedHQ:main Oct 17, 2025
37 of 39 checks passed
@adriencaccia
Copy link
Member

adriencaccia commented Oct 17, 2025

Thanks a lot for this @edgarrmondragon!

@edgarrmondragon edgarrmondragon deleted the pin-actions branch October 17, 2025 13:54
@edgarrmondragon
Copy link
Contributor Author

edgarrmondragon commented Oct 23, 2025
edited
Loading

@adriencaccia I probably should've mentioned that this will actions/cache will be stuck v4.3.0 unless you manually update it with tool like pinact, or set up Dependabot/Renovate. Either will handle the pinning to a commit SHA automatically.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adriencaccia adriencaccia adriencaccia approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@edgarrmondragon @adriencaccia