Skip to content

[Feature]: Pin all actions with their commit hash to increase securityΒ #815

Description

@MacOS

🧠 D: DOCUMENT β€” Problem & Opportunity

What is the problem, limitation, or opportunity? Why does this matter for SKaiNET?

Explain the context in clear terms:

  • What functionality is missing or insufficient?
  • Why is this important now?
  • Who benefits (users, developers, researchers)?
  • What is the high-level goal of this proposal?

Currently, almost all workflows use tags to pin their actions. This is a potential security vulnerability, against best practises, and lowers the OpenSSF Score. We therefore want to pin them with their commit hashes instead.

Summary (1–2 sentences):

Provide a concise overview of what this issue aims to address.

This issue addresse the potential security threat caused by actions pinned with tags.

πŸ” A: ASSESS β€” Feasibility & Impact

Provide an evaluation of the proposal. Address the following:

βœ”οΈ Feasibility

  • Is the feature straightforward to implement?
  • Are there architectural constraints?

It is straightforward to switch from pinned tags to pinned commit hashes.

βœ”οΈ Expected Impact

  • How does this improve SKaiNET?
  • Does it unlock new capabilities?

It improves SKaiNET by improving it's security.

βœ”οΈ Risks / Constraints

  • Technical challenges?
  • Numerical stability concerns?
  • API consistency?

None.

βœ”οΈ Dependencies

  • Does this rely on an existing SKaiNET module?
  • Does it require third-party libraries or standards?

None.

πŸ“š R: RESEARCH β€” What Must Be Understood First?

Document research tasks or open questions that must be answered before implementation:

Research Tasks

  • Review existing frameworks (PyTorch, JAX, TensorFlow, etc.)
  • Identify relevant algorithms or formulas
  • Compare design patterns for modularity
  • Investigate numerically stable or optimized variants
  • Check for relevant academic papers or benchmarks

Not applicable.

Open Questions

List unknowns that contributors should discuss or resolve.

There are no open questions.

πŸ› οΈ C: CODE β€” Implementation Plan

Break down actionable steps required to deliver this feature:

Development Tasks

  • build.yml
  • docs.yml
  • documentation.yml
  • engine-benchmarks.yml
  • java-tests.yml
  • native-cpu-multiarch.yml
  • publish.yml
  • schema-validation.yml
  • verify-poms.yml

Acceptance Criteria

  • build.yml runs through
  • docs.yml runs through
  • documentation.yml runs through
  • engine-benchmarks.yml runs through
  • java-tests.yml runs through
  • native-cpu-multiarch.yml runs through
  • publish.yml runs through
  • schema-validation.yml runs through
  • verify-poms.yml runs through

πŸ’¬ Additional Notes

Add diagrams, pseudo-code, references, or implementation notes that may help future contributors.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions