Pin digest of 3rd party actions

[re-taro]

Closes #

What I did

Specified commit hash for GHA third-party action
The version specification may cause vulnerable code to be included at unintended times.

Checklist for Contributors

Testing

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

This section is mandatory for all contributions. If you believe no manual test is necessary, please state so explicitly. Thanks!

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook canary-release-pr.yml --field pr=<PR_NUMBER>

Greptile Summary

Enhanced security across GitHub Actions workflows by pinning third-party actions to specific commit hashes instead of version tags, preventing potential supply chain attacks.

• Updated actions/checkout to v4.2.2 (11bd71901bbe) across all workflow files
• Updated actions/setup-node to v4.3.0 (cdca7365b2dadb) across relevant workflows
• Updated actions/cache to v4.2.2 (d4323d4df104b) in deployment workflows
• Pinned balazsorban44/nissuer to v1.10.0 (92ef22afd6a7) in triage workflow
• Security concern: Ilshidur/action-discord@master remains unpinned in multiple workflows

_{💡 (1/5) You can manually trigger the bot by mentioning @greptileai in a comment!}

Summary by CodeRabbit

• Chores
  • Pinned all GitHub Actions in CI workflows to specific commit SHAs to improve security and reproducibility.
  • Updated references for actions such as checkout, setup-node, cache, stale, markdown link check, danger-js, triage, and HTTP request triggers.
  • No changes to workflow logic or user-visible behavior.

[greptile-apps]

LGTM

_{12 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile}

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 021cb22

Command	Status	Duration	Result
nx run-many -t build --parallel=3	✅ Succeeded	47s	View ↗

---

☁️ Nx Cloud last updated this comment at 2025-10-02 12:35:31 UTC

[greptile-apps]

LGTM

_{12 file(s) reviewed, no comment(s)
Edit PR Review Bot Settings | Greptile}

[valentinpalkovic]

Hi @re-taro

Thank you for opening this PR.

Could you please provide some more information? Which vulnerability does it try to tackle? Can you link to an issue?

[spanishpear]

@re-taro did you use a tool to pull the correct digest for each action? How were they determined?

[re-taro]

@spanishpear I used this one!

https://github.com/suzuki-shunsuke/pinact

[coderabbitai]

Walkthrough

The pull request updates multiple GitHub Actions workflows to pin external actions to specific commit SHAs instead of version tags. Affected workflows include canary-release-pr, cron-weekly, danger-js, generate-sandboxes, handle-release-branches, prepare-non-patch-release, prepare-patch-release, publish, stale, tests-unit, triage, and trigger-circle-ci-workflow. Actions pinned include actions/checkout, actions/setup-node, actions/cache, actions/stale, danger/danger-js, prince-chrismc/check-actor-permissions-action, mcky/find-and-replace-pull-request-body, gaurav-nelson/github-action-markdown-link-check, Nissuer/triage, and fjogeleit/http-request-action. No control flow, configuration, or logic changes were made.

Suggested labels

ci:docs

Suggested reviewers

• ndelangen

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title clearly summarizes the main change of pinning commit digests for third-party GitHub Actions in the workflows, directly reflecting the update in the pull request without unnecessary detail or ambiguity.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

.github/workflows/publish.yml (1)

201-207: Pin Ilshidur/action-discord to a commit.

This step still runs off @master, which reintroduces the very supply-chain risk this PR aims to close. Please pin it to the exact commit (and add a version comment) just like the other actions.

.github/workflows/generate-sandboxes.yml (1)

67-75: Please pin Ilshidur/action-discord here too.

Both failure-notification steps still reference @master, leaving us exposed to silent upstream changes. Pin each to a specific commit SHA (with version comments) to finish hardening this workflow.

Also applies to: 119-127

.github/workflows/prepare-non-patch-release.yml (1)

46-61: Pin the remaining Discord notifier action.

We’re still invoking Ilshidur/action-discord@master later in this workflow (Line 163). That unpinned reference undermines the supply-chain hardening this PR is aiming for. Please update it to a fixed commit SHA as well.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0b5902 and 021cb22.

📒 Files selected for processing (12)

• .github/workflows/canary-release-pr.yml (3 hunks)
• .github/workflows/cron-weekly.yml (1 hunks)
• .github/workflows/danger-js.yml (1 hunks)
• .github/workflows/generate-sandboxes.yml (2 hunks)
• .github/workflows/handle-release-branches.yml (3 hunks)
• .github/workflows/prepare-non-patch-release.yml (2 hunks)
• .github/workflows/prepare-patch-release.yml (1 hunks)
• .github/workflows/publish.yml (1 hunks)
• .github/workflows/stale.yml (1 hunks)
• .github/workflows/tests-unit.yml (1 hunks)
• .github/workflows/triage.yml (1 hunks)
• .github/workflows/trigger-circle-ci-workflow.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Core Unit Tests, windows-latest

🔇 Additional comments (8)

.github/workflows/stale.yml (1)

10-10: Pin for actions/stale looks good.

SHA matches v9.1.0 and keeps the workflow reproducible.

.github/workflows/trigger-circle-ci-workflow.yml (1)

61-61: Pinned http-request-action commit looks correct.

v1.16.3 commit hash is in place with an inline version note—nice.

.github/workflows/triage.yml (1)

20-20: Nissuer action correctly pinned.

Commit 92ef22a… corresponds to v1.10.0; thanks for locking it down.

.github/workflows/danger-js.yml (1)

24-29: Danger workflow pins look solid.

Checkout, setup-node, and danger-js now reference explicit SHAs with version breadcrumbs—exactly what we want for supply-chain safety.

.github/workflows/publish.yml (1)

40-52: Release prerequisites are now pinned.

Checkout, setup-node, and cache all reference the intended SHAs with clear version comments—thanks!

.github/workflows/handle-release-branches.yml (1)

26-26: Checkout pins look good.

All checkout steps now reference 11bd719… (v4.2.2) with helpful comments—thanks for the thoroughness.

Also applies to: 35-35, 57-57

.github/workflows/generate-sandboxes.yml (1)

29-34: Great job pinning the shared tooling.

Both branches now use the same checkout/setup-node SHAs with inline version notes—helps keep the environments predictable.

Also applies to: 81-86

.github/workflows/tests-unit.yml (1)

18-23: Pinned test prerequisites look good.

Checkout and setup-node now point at explicit SHAs with version breadcrumbs—appreciated.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Please also pin Ilshidur/action-discord.

Nice job pinning the core actions, but this workflow still calls Ilshidur/action-discord@master (see Line 186). Leaving that third-party action unpinned keeps the same supply-chain risk we’re trying to eliminate. Please lock it to a specific commit SHA (per the PR goal/tooling you’re already using) so this workflow is fully deterministic.

🤖 Prompt for AI Agents

.github/workflows/prepare-patch-release.yml lines 28-40 (and the workflow step
at ~line 186): the workflow pins core GitHub Actions but still references
Ilshidur/action-discord@master later, leaving a supply-chain risk; update the
discord action usage to a specific commit SHA (the same pinning style used for
other actions) by replacing the @master reference with the exact commit hash for
that release, ensuring the workflow is fully deterministic and consistent with
the other pinned actions.

[JReinhold]

thank you @re-taro, I actually did the same thing in #32621 although not for all third party actions. I didn't do it for the official actions from GitHub as that is a trusted entity, and I missed some that you have.

Feel free to update the PR with the remaining actions I missed (but not those from GitHub)