Pinned actions version use SHA-1#931
Conversation
There was a problem hiding this comment.
Pull request overview
This PR enhances security by pinning GitHub Actions to specific SHA-1 commit hashes instead of mutable version tags, following security best practices to prevent supply chain attacks.
Key Changes:
- All GitHub Actions across workflow files now use SHA-1 commit hashes with version comments for reference
- Added security and quality queries configuration to CodeQL analysis
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/publish.yml |
Pinned 5 actions (checkout, setup-dotnet, upload-artifact, azure/login, download-artifact) to SHA-1 hashes |
.github/workflows/codeql.yml |
Pinned 2 actions (checkout, codeql-action init/analyze) to SHA-1 hashes and added security-extended queries |
.github/workflows/build.yml |
Pinned 2 actions (checkout, setup-dotnet) to SHA-1 hashes |
After reviewing this pull request, I found no issues that require comments. The changes consistently implement SHA-1 pinning across all workflow files, which is a security best practice. The version comments are properly formatted and help maintain readability. The additional queries parameter in the CodeQL workflow is a reasonable enhancement to enable more comprehensive security scanning.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
No description provided.