Skip to content

Pin actions/upload-artifact to SHA#127

Merged
TooManyBees merged 1 commit intoactions:mainfrom
heavymachinery:pin-sha
Aug 14, 2025
Merged

Pin actions/upload-artifact to SHA#127
TooManyBees merged 1 commit intoactions:mainfrom
heavymachinery:pin-sha

Conversation

@heavymachinery
Copy link
Contributor

@heavymachinery heavymachinery commented Aug 14, 2025

👋 Updating uses: actions/upload-artifact@v4 in the composite action to pin to v4.6.2 SHA

Copilot AI review requested due to automatic review settings August 14, 2025 12:29
@heavymachinery heavymachinery requested a review from a team as a code owner August 14, 2025 12:29
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Updates the GitHub Actions workflow to pin the actions/upload-artifact action to a specific SHA instead of using the floating tag v4. This improves security and reproducibility by ensuring the exact version of the action is used.

  • Pins actions/upload-artifact from v4 to SHA ea165f8d65b6e75b540449e92b4886f43607fa02 (v4.6.2)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

@TooManyBees TooManyBees merged commit 7b1f4a7 into actions:main Aug 14, 2025
3 checks passed
@andrewmogan andrewmogan mentioned this pull request Sep 16, 2025
Open
Copilot AI mentioned this pull request Mar 7, 2026
Merged
@Aureliolo Aureliolo mentioned this pull request Mar 11, 2026
Merged
4 tasks
Aureliolo added a commit to Aureliolo/synthorg that referenced this pull request Mar 11, 2026
@Aureliolo
fix: upgrade upload-pages-artifact to v4 and add zizmor workflow lint…
2eac571 
…ing (#299)

## Summary

- **Upgrade `actions/upload-pages-artifact` v3 → v4** — v4.0.0 ([PR
#127](actions/upload-pages-artifact#127))
SHA-pins its internal `actions/upload-artifact` dependency, fixing the
`sha_pinning_required` conflict where the composite action's tag
reference (`@v4`) was rejected by the repo's Actions permissions policy
- **Add `zizmor` workflow security analysis** — runs on workflow file
changes (push to main + PRs), catches unpinned actions, script
injection, excessive permissions, and uploads SARIF to the Security tab
- **Add explicit failure on release retry exhaustion** — retry loop now
sets a `FOUND` flag so exhaustion surfaces a clear `::error::` instead
of falling through to a confusing `gh release edit` failure (Greptile PR
#298 finding)

## Context

After merging #298, the Pages workflow failed on main because
`upload-pages-artifact` v3 internally called
`actions/upload-artifact@v4` (tag, not SHA), violating the repo's
`sha_pinning_required: true` setting. This is a [known
limitation](actions/runner#2195) with
composite actions — GitHub enforces SHA pinning transitively but
composite action authors don't always pin their internal deps. v4.0.0
fixed this upstream.

The zizmor workflow provides CI-level enforcement of SHA pinning and
other workflow security checks, complementing the repo-level
`sha_pinning_required` setting.

## Test plan

- [ ] Pages workflow succeeds on main after merge (v4
upload-pages-artifact)
- [ ] zizmor workflow runs and uploads SARIF on this PR's workflow
changes
- [ ] Verify no breaking change from v4 dotfile exclusion (MkDocs/Astro
output has no dotfiles)
- [ ] Release retry loop fails clearly after exhaustion (manual
verification of logic)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@TooManyBees TooManyBees TooManyBees approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@heavymachinery @TooManyBees