Skip to content

Pin all GitHub Actions to specific versions in CI workflows #241

New issue
New issue
Closed
#243
Closed
Pin all GitHub Actions to specific versions in CI workflows#241
#243
Labels
dependenciesPull requests that update a dependency fileenhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code
@nanotaboada

Description

@nanotaboada
nanotaboada
opened on May 20, 2025

Description

Currently, our GitHub Actions workflows reference actions using major-only tags (e.g., actions/checkout@v4). This allows for automatic minor and patch updates, which can introduce breaking changes or security risks without visibility.

To improve security, reproducibility, and compatibility with Dependabot, we should pin all actions to fully qualified versions (e.g., and actions/checkout@v4.2.2).

Proposed Solution

Update all workflow files to replace loose version tags (e.g., @v4) with fully pinned semantic versions (e.g., @v4.2.2). This ensures:

  • Builds remain stable over time.
  • Changes to action versions are explicit and reviewable (via Dependabot).
  • The CI system is less prone to unexpected behavior.

## Suggested Implementation

Before

- uses: actions/checkout@v4

After

- uses: actions/checkout@v4.2.2

You can get the latest versions from https://github.com/marketplace?type=actions

Acceptance Criteria

  • All GitHub Actions in workflow YAML files are pinned to specific versions (e.g., @vX.Y.Z).
  • Workflows pass successfully after changes.
  • Dependabot is already configured to detect updates to actions.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency fileenhancementNew feature or requestgithub_actionsPull requests that update GitHub Actions code

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions