From 179c20b35288fddf2fb7fdcaa8ccfeefe99b6689 Mon Sep 17 00:00:00 2001 From: Matt Aitchison Date: Thu, 21 May 2026 18:08:34 -0500 Subject: [PATCH] ci: pin third-party actions to commit SHAs (#5869) * ci: pin third-party actions to commit SHAs Pin third-party GitHub Actions in workflow files to immutable 40-char commit SHAs per the org security policy. Mutable refs like @v4 can be silently re-pointed by a compromised upstream; SHAs cannot. Trailing version comments let Dependabot/Renovate continue to manage updates. Related to [COR-51](https://linear.app/crewai/issue/COR-51). * ci: disable persist-credentials in pip-audit checkout Address CodeRabbit feedback on PR #5869: the pip-audit workflow is read-only and never needs an authenticated git context, so opt out of persisting the GITHUB_TOKEN in the local git config per the actions/checkout security guidance. --- .github/workflows/build-uv-cache.yml | 4 ++-- .github/workflows/codeql.yml | 6 +++--- .github/workflows/docs-broken-links.yml | 4 ++-- .github/workflows/generate-tool-specs.yml | 2 +- .github/workflows/linter.yml | 8 ++++---- .github/workflows/nightly.yml | 8 ++++---- .github/workflows/publish.yml | 10 +++++----- .github/workflows/stale.yml | 2 +- .github/workflows/tests.yml | 10 +++++----- .github/workflows/type-checker.yml | 8 ++++---- .github/workflows/update-test-durations.yml | 8 ++++---- .github/workflows/vulnerability-scan.yml | 10 ++++++---- 12 files changed, 41 insertions(+), 39 deletions(-) diff --git a/.github/workflows/build-uv-cache.yml b/.github/workflows/build-uv-cache.yml index 20ad8e109..a83982086 100644 --- a/.github/workflows/build-uv-cache.yml +++ b/.github/workflows/build-uv-cache.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install uv uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 @@ -39,7 +39,7 @@ jobs: echo "Cache populated successfully" - name: Save uv caches - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index d3a21d1ac..b786dd215 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -59,7 +59,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 # Add any setup steps before running the `github/codeql-action/init` action. # This includes steps like installing compilers or runtimes (`actions/setup-node` @@ -69,7 +69,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -98,6 +98,6 @@ jobs: exit 1 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/docs-broken-links.yml b/.github/workflows/docs-broken-links.yml index 08e2ee19b..38ca499a4 100644 --- a/.github/workflows/docs-broken-links.yml +++ b/.github/workflows/docs-broken-links.yml @@ -18,10 +18,10 @@ jobs: name: Check broken links runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "22" diff --git a/.github/workflows/generate-tool-specs.yml b/.github/workflows/generate-tool-specs.yml index af6fc7195..fce8c2753 100644 --- a/.github/workflows/generate-tool-specs.yml +++ b/.github/workflows/generate-tool-specs.yml @@ -28,7 +28,7 @@ jobs: private-key: ${{ secrets.CREWAI_TOOL_SPECS_PRIVATE_KEY }} - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ github.head_ref }} token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 4ade0d313..f5d3847b5 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -12,7 +12,7 @@ jobs: outputs: code: ${{ steps.filter.outputs.code }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: @@ -26,11 +26,11 @@ jobs: if: needs.changes.outputs.code == 'true' runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Restore global uv cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv @@ -58,7 +58,7 @@ jobs: - name: Save uv caches if: steps.cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index fc923dc20..669ef0fb2 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -18,7 +18,7 @@ jobs: outputs: has_changes: ${{ steps.check.outputs.has_changes }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 @@ -41,7 +41,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install uv uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6 @@ -87,7 +87,7 @@ jobs: rm dist/.gitignore - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dist path: dist/ @@ -110,7 +110,7 @@ jobs: enable-cache: false - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 06c52ce4d..896aa9540 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -24,12 +24,12 @@ jobs: echo "tag=" >> $GITHUB_OUTPUT fi - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ steps.release.outputs.tag || github.ref }} - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: "3.12" @@ -42,7 +42,7 @@ jobs: rm dist/.gitignore - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dist path: dist/ @@ -58,7 +58,7 @@ jobs: id-token: write contents: read steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: ${{ inputs.release_tag || github.ref }} @@ -70,7 +70,7 @@ jobs: enable-cache: false - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 with: name: dist path: dist diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 67e4d3c57..15fd1af91 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -14,7 +14,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-label: 'no-issue-activity' diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 4378c4978..008ac6ccb 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -12,7 +12,7 @@ jobs: outputs: code: ${{ steps.filter.outputs.code }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: @@ -34,13 +34,13 @@ jobs: group: [1, 2, 3, 4, 5, 6, 7, 8] steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 # Fetch all history for proper diff - name: Restore global uv cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv @@ -61,7 +61,7 @@ jobs: run: uv sync --all-groups --all-extras - name: Restore test durations - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: .test_durations_py* key: test-durations-py${{ matrix.python-version }} @@ -108,7 +108,7 @@ jobs: - name: Save uv caches if: steps.cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv diff --git a/.github/workflows/type-checker.yml b/.github/workflows/type-checker.yml index c1268dadc..d60cb4f95 100644 --- a/.github/workflows/type-checker.yml +++ b/.github/workflows/type-checker.yml @@ -12,7 +12,7 @@ jobs: outputs: code: ${{ steps.filter.outputs.code }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3 id: filter with: @@ -33,11 +33,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Restore global uv cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv @@ -62,7 +62,7 @@ jobs: - name: Save uv caches if: steps.cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv diff --git a/.github/workflows/update-test-durations.yml b/.github/workflows/update-test-durations.yml index fda5a2625..5234308b8 100644 --- a/.github/workflows/update-test-durations.yml +++ b/.github/workflows/update-test-durations.yml @@ -23,11 +23,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Restore global uv cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv @@ -55,14 +55,14 @@ jobs: - name: Save durations to cache if: always() - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: .test_durations_py* key: test-durations-py${{ matrix.python-version }} - name: Save uv caches if: steps.cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 6c24bd7c3..5cea4777a 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -16,11 +16,13 @@ jobs: name: pip-audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + with: + persist-credentials: false - name: Restore global uv cache id: cache-restore - uses: actions/cache/restore@v4 + uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv @@ -110,14 +112,14 @@ jobs: - name: Upload pip-audit report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: pip-audit-report path: pip-audit-report.json - name: Save uv caches if: steps.cache-restore.outputs.cache-hit != 'true' - uses: actions/cache/save@v4 + uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 with: path: | ~/.cache/uv