Skip to content

ci: pin third-party GitHub Actions to verified release SHAs#884

Open
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-actions-and-git-diff
Open

ci: pin third-party GitHub Actions to verified release SHAs#884
Vamshi-Microsoft wants to merge 1 commit into
mainfrom
ci/pin-actions-and-git-diff

Conversation

@Vamshi-Microsoft

@Vamshi-Microsoft Vamshi-Microsoft commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Purpose

  • Replace the tj-actions/changed-files action in broken-links-checker.yml with a built-in git diff step that detects changed Markdown files between the PR base and head SHAs, preserving the any_changed / all_changed_files outputs consumed by the lychee step. This removes a third-party dependency from change detection.
  • Pin third-party GitHub Actions to specific release commit SHAs (instead of mutable version tags) for reproducible and immutable workflow runs.

Does this introduce a breaking change?

  • Yes
  • No

Golden Path Validation

  • I have tested the primary workflows (the "golden path") to ensure they function correctly without errors.

Deployment Validation

  • I have validated the deployment process successfully and all services are running as expected with this change.

What to Check

Verify that the following are valid
Changed files:

  • .github/workflows/broken-links-checker.yml
  • .github/workflows/pr-title-checker.yml
  • .github/workflows/test.yml

Other Information

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Coverage

Coverage Report •
FileStmtsMissCoverMissing
TOTAL769637195% 
report-only-changed-files is enabled. No files were changed during this commit :)

Tests Skipped Failures Errors Time
426 0 💤 0 ❌ 0 🔥 12.547s ⏱️

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens CI workflows by removing a compromised third-party “changed files” action from the broken-link checker and by pinning third-party GitHub Actions to immutable, verified release commit SHAs to reduce supply-chain risk.

Changes:

  • Replace tj-actions/changed-files in the broken-link checker with a built-in git diff-based step that emits compatible outputs.
  • Pin lycheeverse/lychee-action, amannn/action-semantic-pull-request, and MishaKav/pytest-coverage-comment to the commit SHAs behind their release tags.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/broken-links-checker.yml Replaces changed-file detection with git diff and pins lychee-action to a release SHA.
.github/workflows/pr-title-checker.yml Pins action-semantic-pull-request to the commit SHA for v6.1.1.
.github/workflows/test.yml Pins pytest-coverage-comment to the commit SHA for v1.8.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/broken-links-checker.yml
@Vamshi-Microsoft Vamshi-Microsoft force-pushed the ci/pin-actions-and-git-diff branch from 438290c to d5031e0 Compare June 30, 2026 06:27
@Vamshi-Microsoft Vamshi-Microsoft changed the title ci: replace tj-actions/changed-files with built-in git diff in broken-link checker and pin third-party GitHub Actions to verified release SHAs ci: pin third-party GitHub Actions to verified release SHAs Jun 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants