Skip to content

[Github][CI] Hashpin actions dependencies #127011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2025
Merged

[Github][CI] Hashpin actions dependencies #127011

merged 1 commit into from
Feb 13, 2025

Conversation

boomanaiden154
Copy link
Contributor

This patch has pins several actions dependencies in the premerge workflow and the Windows/Linux container build workflows to help improve security in the unlikely event that someone tries to pull off a supply chain security attack by modifying release asserts for these actions.

@boomanaiden154
[Github][CI] Hashpin actions dependencies
151988c 
This patch has pins several actions dependencies in the premerge workflow and
the Windows/Linux container build workflows to help improve security in the
unlikely event that someone tries to pull off a supply chain security attack
by modifying release asserts for these actions.
@llvmbot
Copy link
Member

llvmbot commented Feb 13, 2025

@llvm/pr-subscribers-github-workflow

Author: Aiden Grossman (boomanaiden154)

Changes

This patch has pins several actions dependencies in the premerge workflow and the Windows/Linux container build workflows to help improve security in the unlikely event that someone tries to pull off a supply chain security attack by modifying release asserts for these actions.

Full diff: https://github.com/llvm/llvm-project/pull/127011.diff

3 Files Affected:

  • (modified) .github/workflows/build-ci-container-windows.yml (+3-3)
  • (modified) .github/workflows/build-ci-container.yml (+3-3)
  • (modified) .github/workflows/premerge.yaml (+6-6)
diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index bba34066a97cd..068cb58301080 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -27,7 +27,7 @@ jobs:
       container-filename: ${{ steps.vars.outputs.container-filename }}
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci-windows
       - name: Write Variables
@@ -46,7 +46,7 @@ jobs:
         run: |
           docker save  ${{ steps.vars.outputs.container-name-tag }} >  ${{ steps.vars.outputs.container-filename }}
       - name: Upload container image
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: container
           path: ${{ steps.vars.outputs.container-filename }}
@@ -63,7 +63,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Download container
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: container
       - name: Push Container
diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml
index 8272c8f6e266f..1921a3675166d 100644
--- a/.github/workflows/build-ci-container.yml
+++ b/.github/workflows/build-ci-container.yml
@@ -32,7 +32,7 @@ jobs:
             runs-on: depot-ubuntu-22.04-arm-16
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci/
       # podman is not installed by default on the ARM64 images.
@@ -66,7 +66,7 @@ jobs:
           podman save ${{ steps.vars.outputs.container-name-agent-tag }} > ${{ steps.vars.outputs.container-agent-filename }}
 
       - name: Upload container image
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: container-${{ matrix.arch }}
           path: "*.tar"
@@ -90,7 +90,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Download container
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
 
       - name: Push Container
         run: |
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 178ab191a58be..5ec6e8f40efaa 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -33,11 +33,11 @@ jobs:
     runs-on: llvm-premerge-linux-runners
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/[email protected]
+        uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           max-size: "2000M"
       - name: Build and Test
@@ -94,11 +94,11 @@ jobs:
         shell: bash
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/[email protected]
+        uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           variant: "sccache"
           max-size: "2000M"
@@ -153,11 +153,11 @@ jobs:
       (github.event_name != 'pull_request' || github.event.action != 'closed')
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/[email protected]
+        uses: hendrikmuhs/ccache-action@a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           max-size: "2000M"
       - name: Install Ninja

@boomanaiden154
Copy link
Contributor Author

I'm planning on going through more of these at some point, but wanted to start (and continually do it) incrementally to ensure nothing breaks while hacking on it.

@boomanaiden154 boomanaiden154 merged commit 161f64a into llvm:main Feb 13, 2025
16 checks passed
@boomanaiden154 boomanaiden154 deleted the hash-pin-ci-workflows branch February 13, 2025 20:16
joaosaffran pushed a commit to joaosaffran/llvm-project that referenced this pull request Feb 14, 2025
@boomanaiden154
[Github][CI] Hashpin actions dependencies (llvm#127011)
583a978 
This patch has pins several actions dependencies in the premerge
workflow and the Windows/Linux container build workflows to help improve
security in the unlikely event that someone tries to pull off a supply
chain security attack by modifying release asserts for these actions.
sivan-shani pushed a commit to sivan-shani/llvm-project that referenced this pull request Feb 24, 2025
@boomanaiden154 @sivan-shani
[Github][CI] Hashpin actions dependencies (llvm#127011)
b564b9f 
This patch has pins several actions dependencies in the premerge
workflow and the Windows/Linux container build workflows to help improve
security in the unlikely event that someone tries to pull off a supply
chain security attack by modifying release asserts for these actions.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tstellar tstellar tstellar approved these changes

Assignees
No one assigned
Labels
github:workflow
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@boomanaiden154 @llvmbot @tstellar