Automate GitHub Actions pinning to full-length commit SHAs for improved security

[Copilot]

Implements comprehensive automation to pin GitHub Actions to full-length commit SHAs instead of version tags, significantly improving supply chain security by preventing potential malicious code injection through updated action versions.

What This PR Does

This PR adds a complete automation solution that:

1. Scans all workflow files in .github/workflows/ to identify unpinned GitHub Actions (e.g., actions/checkout@v3)
2. Fetches latest commit SHAs from GitHub repositories for each action using the GitHub API
3. Safely replaces version tags with full-length commit SHAs while preserving YAML structure
4. Validates changes to ensure workflows remain syntactically correct

Security Impact

Before:

- uses: actions/checkout@v3
- uses: actions/setup-node@v3

After:

- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744
- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610

This change prevents supply chain attacks where malicious actors could compromise action repositories and inject harmful code into new releases while maintaining the same version tag.

Implementation Details

Core Script: scripts/pin-github-actions.js

• Smart Detection: Automatically finds .yml and .yaml workflow files
• API Integration: Uses GitHub REST API to resolve version tags to specific commits
• Safe Modification: Preserves YAML structure and validates syntax after changes
• Caching: Minimizes API calls by caching commit SHA lookups
• Error Handling: Gracefully handles non-existent repositories and network issues
• Dry Run Mode: Allows preview of changes before applying them

Usage Examples

# Preview changes without modifying files
npm run pin-actions -- --dry-run

# Pin all GitHub Actions
npm run pin-actions

# With GitHub token for better rate limits
GITHUB_TOKEN=your_token npm run pin-actions

Comprehensive Testing

Added test/pin-github-actions.test.js with 7 test cases covering:

• Workflow file discovery and parsing
• Action identification (pinned vs unpinned)
• SHA resolution and replacement logic
• YAML validation after modifications
• Dry run vs real execution modes
• Error handling for edge cases

Documentation Updates

Updated README.md with:

• Complete usage guide and examples
• Security benefits explanation
• Supported action formats
• Testing instructions

Edge Cases Handled

✅ Already pinned actions - Skipped automatically
✅ Non-existent repositories - Graceful error handling
✅ Version tag resolution - Handles v3, v3.8.1, main, etc.
✅ YAML validation - Ensures workflows remain valid
✅ Multiple workflow files - Processes entire .github/workflows/ directory

Real-World Application

This automation successfully processed the existing ci-cd.yml workflow, pinning 6 action references:

• 3× actions/checkout@v3 → actions/checkout@f43a0e5ff2bd294...
• 3× actions/setup-node@v3 → actions/setup-node@3235b876344d2a9a...

Running the script again correctly detects that all actions are already pinned and makes no changes, demonstrating the idempotent behavior.

Dependencies Added

• js-yaml@^4.1.0 - For safe YAML parsing and serialization
• @octokit/rest@^20.0.2 - For GitHub API integration

This automation can be integrated into CI/CD pipelines to automatically maintain security best practices for GitHub Actions across all workflow files.

This pull request was created as a result of the following prompt from Copilot chat.

Automate the process of pinning GitHub Actions to a full-length commit SHA in workflow YAML files to improve security. Specifically:

1. Identify all workflow files (typically in the .github/workflows directory) that use unpinned GitHub Actions (e.g., actions/checkout@v3 or actions/setup-node@v3).
2. Parse these workflow files to find all uses: statements with unpinned GitHub Actions.
3. Fetch the latest full-length commit SHA for each action from their respective GitHub repositories.
4. Replace the tag (e.g., @v3) with the corresponding full-length commit SHA in the workflow files.
5. Ensure that the updates are made safely and that the workflows remain valid after the change.
6. Commit the updated workflow files with a descriptive commit message (e.g., "Pin GitHub Actions to full-length commit SHAs for improved security").

Include thorough testing of the automation script to ensure it handles edge cases (e.g., non-existent actions, already pinned actions, actions with custom tags) and update documentation to describe how the automation works.

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[sonnyquinn24]

@copilot

[sonnyquinn24]

@copilot

[sonnyquinn24]

@copilot

[sonnyquinn24]

@copilot

[sonnyquinn24]

@copilot

[sonnyquinn24]

Done

[sonnyquinn24]

Done

[sonnyquinn24]

Done

[sonnyquinn24]

Done

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.