Skip to content

Add script and run update for pinning action versions#1484

Merged
jsturtevant merged 3 commits into
hyperlight-dev:mainfrom
jsturtevant:pinactions
Jun 8, 2026
Merged

Add script and run update for pinning action versions#1484
jsturtevant merged 3 commits into
hyperlight-dev:mainfrom
jsturtevant:pinactions

Conversation

@jsturtevant
Copy link
Copy Markdown
Contributor

@jsturtevant jsturtevant commented May 29, 2026

This pins all of our github actions to hashes https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions. Dependabot will still work and use hashes when pushing updates.

It removes https://github.com/dtolnay/rust-toolchain for actions-rust-lang/setup-rust-toolchain which is maintained.

ACTION CURRENT LATEST LATEST HASH UPDATE? URL
Swatinem/rust-cache v2 v2.9.1 c19371144df3bb44fab255c43d04cbc2ab54d1c4 YES https://github.com/Swatinem/rust-cache/releases
actions/cache v5 v5.0.5 27d5ce7f107fe9357f9df03efb73ab90386fccae YES https://github.com/actions/cache/releases
actions/checkout v6 v6.0.2 de0fac2e4500dabe0009e67214ff5f5447ce83dd YES https://github.com/actions/checkout/releases
actions/create-github-app-token v3 v3.2.0 bcd2ba49218906704ab6c1aa796996da409d3eb1 YES https://github.com/actions/create-github-app-token/releases
actions/download-artifact v8 v8.0.1 3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c YES https://github.com/actions/download-artifact/releases
actions/github-script v9 v9.0.0 3a2844b7e9c422d3c10d287c895573f7108da1b3 YES https://github.com/actions/github-script/releases
actions/upload-artifact v7 v7.0.1 043fb46d1a93c77aae656e7c1c64a875d1fc6a0a YES https://github.com/actions/upload-artifact/releases
crate-ci/typos v1.46.3 v1.47.0 f8a58b6b53f2279f71eb605f03a4ae4d10608f45 YES https://github.com/crate-ci/typos/releases
docker/build-push-action v7 v7.2.0 f9f3042f7e2789586610d6e8b85c8f03e5195baf YES https://github.com/docker/build-push-action/releases
docker/login-action v4 v4.2.0 650006c6eb7dba73a995cc03b0b2d7f5ca915bee YES https://github.com/docker/login-action/releases
docker/metadata-action v6 v6.1.0 80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 YES https://github.com/docker/metadata-action/releases
dorny/paths-filter v4 v4.0.1 fbd0ab8f3e69293af611ebaee6363fc25e6d187d YES https://github.com/dorny/paths-filter/releases
actions-rust-lang/setup-rust-toolchain v1.16.1 46268bd060767258de96ed93c1251119784f2ab6 YES https://github.com/actions-rust-lang/setup-rust-toolchain/releases
hyperlight-dev/ci-setup-workflow v1.9.0 v1.9.0 f6bd9cc86d0737976d2128c8b8ced8edc017cbb4 YES https://github.com/hyperlight-dev/ci-setup-workflow/releases
rust-lang/crates-io-auth-action v1 v1.0.4 bbd81622f20ce9e2dd9622e3218b975523e45bbe YES https://github.com/rust-lang/crates-io-auth-action/releases
rustsec/audit-check v2.0.0 v2.0.0 69366f33c96575abad1ee0dba8212993eecbe998 YES https://github.com/rustsec/audit-check/releases

Copilot AI review requested due to automatic review settings May 29, 2026 21:03
@jsturtevant jsturtevant added the kind/dependencies For PRs that update dependencies or related components label May 29, 2026
Copilot AI reviewed May 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions usage by pinning third-party actions to specific commit SHAs (per GitHub’s supply-chain guidance), and adds a helper script to discover/update pins. It also replaces dtolnay/rust-toolchain with the maintained actions-rust-lang/setup-rust-toolchain.

Changes:

  • Pin uses: references across workflows from version tags (e.g., @v6) to full commit SHAs, keeping the original version as an inline comment.
  • Replace dtolnay/rust-toolchain usage with actions-rust-lang/setup-rust-toolchain.
  • Add hack/update-actions.sh to scan workflows, resolve latest releases, and optionally update pins in-place.

Reviewed changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
hack/update-actions.sh New helper script to scan workflows and compute/apply pinned action SHAs.
.github/workflows/ValidatePullRequest.yml Pins actions used for docs-only detection, checkout, and typos.
.github/workflows/RustNightly.yml Pins checkout/cache/rust-cache/ci-setup workflow action references.
.github/workflows/ReleaseBlockerLabelCleanUp.yml Pins checkout action reference.
.github/workflows/ReleaseBlockerCheck.yml Pins checkout action reference.
.github/workflows/PRLabelChecker.yml Pins checkout action reference.
.github/workflows/PrimeCaches.yml Pins checkout/ci-setup/rust-cache action references.
.github/workflows/IssueLabelChecker.yml Pins checkout action reference.
.github/workflows/Fuzzing.yml Pins checkout action reference.
.github/workflows/dep_update_guest_locks.yml Pins create-app-token/checkout/ci-setup action references.
.github/workflows/dep_run_examples.yml Pins checkout/ci-setup/rust-cache/download-artifact action references.
.github/workflows/dep_fuzzing.yml Pins checkout/ci-setup/download-artifact/upload-artifact action references.
.github/workflows/dep_code_checks.yml Pins checkout/ci-setup/cache/rust-cache action references.
.github/workflows/dep_build_test.yml Pins checkout/ci-setup/rust-cache/download-artifact action references.
.github/workflows/dep_build_guests.yml Pins checkout/ci-setup/cache/rust-cache/upload-artifact action references.
.github/workflows/dep_benchmarks.yml Pins checkout/ci-setup/rust-cache/download-artifact/upload-artifact action references.
.github/workflows/DailyBenchmarks.yml Pins checkout action reference.
.github/workflows/CreateReleaseBranch.yml Pins checkout action reference.
.github/workflows/CreateRelease.yml Pins checkout/ci-setup/download-artifact action references.
.github/workflows/CreateDevcontainerImage.yml Pins checkout/docker/login/metadata/build-push action references.
.github/workflows/Coverage.yml Pins checkout/ci-setup/rust-cache/upload-artifact action references.
.github/workflows/copilot-setup-steps.yml Pins checkout/ci-setup and replaces toolchain setup action.
.github/workflows/CargoPublish.yml Pins checkout/ci-setup/crates-io-auth action references.
.github/workflows/CargoAudit.yml Pins checkout/toolchain/audit-check action references.
.github/workflows/auto-merge-dependabot.yml Pins create-app-token and checkout action references.

Comment thread hack/update-actions.sh Outdated
Comment thread hack/update-actions.sh
Comment thread hack/update-actions.sh Outdated
Comment thread .github/workflows/ValidatePullRequest.yml Outdated
Comment thread .github/workflows/ValidatePullRequest.yml
Comment thread .github/workflows/IssueLabelChecker.yml
Comment thread .github/workflows/copilot-setup-steps.yml
@ludfjig
Copy link
Copy Markdown
Contributor

ludfjig commented May 29, 2026

What's wrong with https://github.com/dtolnay/rust-toolchain?

@jsturtevant
Copy link
Copy Markdown
Contributor Author

jsturtevant commented May 29, 2026

What's wrong with https://github.com/dtolnay/rust-toolchain?

It doesn't have releases so hard to pin and keep updated, it hasn't been updated with latest tool chains.

https://github.com/actions-rust-lang/setup-rust-toolchain is being actively maintained and does the same thing.

@jsturtevant
Add script and run update for pinning action versions
16a5550 
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
@jsturtevant
use nightly
1e482cb 
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
@jsturtevant
apply suggestions
9a29397 
Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
ludfjig
ludfjig approved these changes Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ludfjig ludfjig left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm. The table in the PR description seems slightly out of date. And are you planning to update https://github.com/hyperlight-dev/ci-setup-workflow too? That one uses dtolnay still

@jsturtevant
Copy link
Copy Markdown
Contributor Author

jsturtevant commented Jun 8, 2026

The table in the PR description seems slightly out of date.

DependaBot will use the hashes so it should be ok to merge this and we will get the updates on the next dependabot cycle.

And are you planning to update https://github.com/hyperlight-dev/ci-setup-workflow too? That one uses dtolnay still

Sure, we should switch all the repos. Will follow up on those

@jsturtevant jsturtevant merged commit d19b345 into hyperlight-dev:main Jun 8, 2026
42 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ludfjig ludfjig ludfjig approved these changes

@andreiltd andreiltd andreiltd approved these changes

@danbugs danbugs Awaiting requested review from danbugs danbugs is a code owner

@devigned devigned Awaiting requested review from devigned devigned is a code owner

@dblnz dblnz Awaiting requested review from dblnz dblnz is a code owner

@jprendes jprendes Awaiting requested review from jprendes jprendes is a code owner

@syntactically syntactically Awaiting requested review from syntactically syntactically is a code owner

@simongdavies simongdavies Awaiting requested review from simongdavies simongdavies is a code owner

@squillace squillace Awaiting requested review from squillace squillace is a code owner

Assignees

No one assigned

Labels

kind/dependencies For PRs that update dependencies or related components

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jsturtevant @ludfjig @andreiltd