Skip to content

Pin pnpm/action-setup to immutable SHAs in GitHub workflows#706

Merged
ss-o merged 1 commit into
mainfrom
copilot/resolve-conversations-705
Apr 29, 2026
Merged

Pin pnpm/action-setup to immutable SHAs in GitHub workflows#706
ss-o merged 1 commit into
mainfrom
copilot/resolve-conversations-705

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 29, 2026

This updates the workflow steps flagged in PR #705 for using a mutable third-party action ref. The affected GitHub Actions now reference pnpm/action-setup by commit SHA instead of a version tag.

  • Security hardening

    • Replaced pnpm/action-setup@v4 with the corresponding immutable commit SHA in:
      • .github/workflows/ci-perf.yml
      • .github/workflows/pages-deployment.yaml

  • Scope

    • Limits the change to the workflow steps called out by code scanning.
    • Preserves the current action version semantics by annotating the pinned SHA with the upstream tag.
- name: "📦 Setup pnpm"
  uses: pnpm/action-setup@f40ffcd9367d9f12939873eb1018b921a783ffaa # v4

@ss-o
fix: pin pnpm action in workflows
4735a6a 
Agent-Logs-Url: https://github.com/z-shell/wiki/sessions/bd69b14f-ad5b-4221-a431-efaef7777bf6

Co-authored-by: ss-o <59910950+ss-o@users.noreply.github.com>
@ss-o ss-o marked this pull request as ready for review April 29, 2026 01:59
@ss-o ss-o requested review from a team and Copilot April 29, 2026 01:59
Copilot AI reviewed Apr 29, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens GitHub Actions workflows by pinning pnpm/action-setup to an immutable commit SHA (annotated with the upstream v4 tag) instead of using the mutable @v4 ref.

Changes:

  • Updated .github/workflows/pages-deployment.yaml to use pnpm/action-setup@<sha> rather than @v4.
  • Updated .github/workflows/ci-perf.yml (both jobs) to use the same pinned SHA for pnpm/action-setup.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/pages-deployment.yaml Pins pnpm/action-setup to the v4 commit SHA for deploy workflow security hardening.
.github/workflows/ci-perf.yml Pins pnpm/action-setup to the same immutable SHA in both perf jobs.

@ss-o ss-o merged commit b0bcc2b into main Apr 29, 2026
10 checks passed
@ss-o ss-o deleted the copilot/resolve-conversations-705 branch April 29, 2026 02:07
ss-o added a commit that referenced this pull request Apr 29, 2026
@ss-o
Resolve PR #705 workflow merge conflicts and pin pnpm action to immut…
360c5b3 
…able v5 SHA (#707)

* Pin `pnpm/action-setup` to immutable SHAs in GitHub workflows (#706)

fix: pin pnpm action in workflows

Agent-Logs-Url: https://github.com/z-shell/wiki/sessions/bd69b14f-ad5b-4221-a431-efaef7777bf6

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ss-o <59910950+ss-o@users.noreply.github.com>

* merge main into PR 705 branch

Agent-Logs-Url: https://github.com/z-shell/wiki/sessions/e6834102-e5ec-42c9-a1a7-6228d6a0f17b

Co-authored-by: ss-o <59910950+ss-o@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: ss-o <59910950+ss-o@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@ss-o ss-o ss-o approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@ss-o ss-o

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ss-o