Skip to content

security: pin all GitHub Actions to commit SHAs (GHSA-f9f8-rm49-7jv2)#185

Merged
dermatz merged 3 commits into
mainfrom
fix/workflow-security
May 13, 2026
Merged

security: pin all GitHub Actions to commit SHAs (GHSA-f9f8-rm49-7jv2)#185
dermatz merged 3 commits into
mainfrom
fix/workflow-security

Conversation

@dermatz
Copy link
Copy Markdown
Member

@dermatz dermatz commented May 13, 2026
edited
Loading

This pull request updates several GitHub Actions workflows to improve reliability, security, and keep dependencies up to date. The main changes include pinning action versions to specific commit hashes, updating Magento and PHP versions in compatibility tests, and improving health checks for MySQL in functional tests.

Workflow dependency and security improvements:

  • All GitHub Actions (actions/checkout, shivammathur/setup-php, actions/cache, actions/labeler, googleapis/release-please-action) are now pinned to specific commit hashes for better security and reproducibility. [1] [2] [3] [4] [5] [6]

Magento compatibility matrix updates:

  • Updated tested Magento versions in .github/workflows/magento-compatibility.yml to "2.4.7-p10", "2.4.8-p5", and "2.4.9", and corresponding PHP versions, ensuring the workflow tests against the latest supported versions.

Functional test reliability:

  • Improved MySQL container health check in .github/workflows/functional-tests.yml by making the health command more robust, increasing the number of retries, and adding a start period to reduce flakiness.

General workflow improvements:

  • Added explicit permissions for the magento-compatibility.yml workflow to follow GitHub best practices.

PHP tooling setup enhancements:

  • Ensured composer:v2 is always installed with PHP setup steps in relevant workflows. [1] [2]

@dermatz
security: pin all GitHub Actions to commit SHAs (GHSA-f9f8-rm49-7jv2)
590a8f3 
- Update shivammathur/setup-php to accd6127 (v2, post Composer 2.9.8 fix)
- Add tools: composer:v2 to phpcs workflow to enforce patched Composer
- Add permissions: contents: read to magento-compatibility workflow
- Pin actions/checkout, actions/cache, actions/labeler,
  googleapis/release-please-action to verified commit SHAs
@dermatz dermatz marked this pull request as ready for review May 13, 2026 12:51
Copilot AI review requested due to automatic review settings May 13, 2026 12:51
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the repository’s GitHub Actions workflows by pinning third-party actions to immutable commit SHAs (mitigating supply-chain risk related to GHSA-f9f8-rm49-7jv2) and ensuring workflows use a patched Composer version where relevant.

Changes:

  • Pin commonly used actions (checkout/cache/labeler/release-please) to specific commit SHAs instead of floating tags.
  • Update shivammathur/setup-php to a specific v2 commit SHA across workflows.
  • Ensure PHPCS runs with Composer v2 and tighten workflow permissions for Magento compatibility checks.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/release-please.yml Pins googleapis/release-please-action to a commit SHA while retaining required write permissions.
.github/workflows/phpstan.yml Pins actions/checkout, actions/cache, and setup-php to SHAs for deterministic CI runs.
.github/workflows/phpcs.yml Pins actions and explicitly installs Composer v2 via setup-php tools configuration.
.github/workflows/magento-compatibility.yml Adds contents: read permissions and updates setup-php to the pinned v2 commit SHA.
.github/workflows/label.yml Pins actions/labeler to a commit SHA.
.github/workflows/functional-tests.yml Updates setup-php to the pinned v2 commit SHA for consistent CI toolchain behavior.

Morgy93
Morgy93 previously approved these changes May 13, 2026
View reviewed changes
Copilot AI review requested due to automatic review settings May 13, 2026 13:03
@dermatz dermatz enabled auto-merge (squash) May 13, 2026 13:04
@dermatz dermatz requested a review from Morgy93 May 13, 2026 13:05
@dermatz dermatz merged commit ce709a1 into main May 13, 2026
14 checks passed
@dermatz dermatz deleted the fix/workflow-security branch May 13, 2026 13:05
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/label.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Morgy93 Morgy93 Morgy93 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dermatz @Morgy93