Skip to content

fix(security): pin all workflow action references to SHA hashes#261

Merged
jdfalk merged 3 commits intomainfrom
copilot/ensure-workflows-pin-to-hashes
Apr 2, 2026
Merged

fix(security): pin all workflow action references to SHA hashes#261
jdfalk merged 3 commits intomainfrom
copilot/ensure-workflows-pin-to-hashes

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 2, 2026
edited
Loading

  • Explore repository and identify all workflow files with non-SHA-pinned action references
  • Fix all template, example, and workflow-template files to pin action references to SHA hashes
  • Fix dependency-review-config.yml - remove empty allow-licenses: [] that conflicted with deny-licenses

Copilot AI changed the title [WIP] Enforce pinning workflows to hashes for security fix(security): pin all workflow action references to SHA hashes Apr 2, 2026
Copilot AI requested a review from jdfalk April 2, 2026 22:53
@github-actions github-actions bot added size/M automation Automation scripts and tools module:config Configuration management workflow:automation Automation and tooling labels Apr 2, 2026
@jdfalk
Copy link
Copy Markdown
Owner

jdfalk commented Apr 2, 2026

@copilot Can you fix this:

2026-04-02T23:02:54.6792464Z ##[group]Run actions/dependency-review-action@2031cfc
2026-04-02T23:02:54.6794311Z with:
2026-04-02T23:02:54.6795257Z config-file: ./.github/dependency-review-config.yml
2026-04-02T23:02:54.6796552Z fail-on-severity: moderate
2026-04-02T23:02:54.6797975Z repo-token: ***
2026-04-02T23:02:54.6798799Z ##[endgroup]
2026-04-02T23:02:55.0008163Z ##[error][
{
"code": "custom",
"message": "You cannot specify both allow-licenses and deny-licenses",
"path": []
},
{
"code": "custom",
"message": "You should provide at least one license in allow-licenses",
"path": []
}
]

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 2, 2026

@copilot Can you fix this:

2026-04-02T23:02:54.6792464Z ##[group]Run actions/dependency-review-action@2031cfc...

Fixed in f45d2e3. The dependency-review-config.yml had an empty allow-licenses: [] entry alongside deny-licenses, which the action rejects — you can only use one or the other. Removed the empty allow-licenses field so only deny-licenses is active.

Copilot AI requested a review from jdfalk April 2, 2026 23:06
@jdfalk jdfalk marked this pull request as ready for review April 2, 2026 23:11
@jdfalk jdfalk merged commit 3d89ccc into main Apr 2, 2026
33 of 36 checks passed
@jdfalk jdfalk deleted the copilot/ensure-workflows-pin-to-hashes branch April 2, 2026 23:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jdfalk jdfalk jdfalk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@jdfalk jdfalk

Copilot code review Copilot

Labels

automation Automation scripts and tools module:config Configuration management size/M workflow:automation Automation and tooling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jdfalk