chore: pin GitHub Actions to SHA for supply chain security (#28)

corneliusludmann · ona-agent · web-flow · commit c4bb23f31931 · 2025-12-11T15:42:49.000+01:00
Pin all external GitHub Actions to specific commit SHAs to prevent
supply chain attacks via malicious tag updates.

Actions pinned:
- actions/checkout@v4
- actions/setup-node@v4
- docker/build-push-action@v6
- filiptronicek/get-last-job-status@main
- google-github-actions/auth@v2
- google-github-actions/setup-gcloud@v2
- rtCamp/action-slack-notify@v2

Part of PDE-138
Closes PDE-221

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.github/workflows/gitpod-web-docker.yml b/.github/workflows/gitpod-web-docker.yml
@@ -6,19 +6,19 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
       - name: Auth Google Cloud SDK
-        uses: google-github-actions/auth@v2
+        uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # pin@v2
         with:
           credentials_json: ${{ secrets.GCP_SA_KEY }}
       - name: Set up Google Cloud SDK
-        uses: google-github-actions/setup-gcloud@v2
+        uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # pin@v2
         with:
           project_id: ${{ secrets.GCP_PROJECT_ID }}
       - name: Set up Docker
         run: |
           gcloud auth configure-docker --quiet
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # pin@v4
         with:
           node-version: 20
           cache: 'yarn'
@@ -43,7 +43,7 @@ jobs:
           yarn --cwd gitpod-web/ inject-commit-hash
 
       - name: Docker build and push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # pin@v6
         with:
           push: true
           context: gitpod-web
@@ -60,11 +60,11 @@ jobs:
 
       - name: Get previous job's status
         id: lastrun
-        uses: filiptronicek/get-last-job-status@main
+        uses: filiptronicek/get-last-job-status@1c211ff20d1706ff0bc3fc8022f7bd6518b88bc4 # pin@main
 
       - name: Slack Notification
         if: ${{ (success() && steps.lastrun.outputs.status == 'failed') || failure() }}
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # pin@v2
         env:
           SLACK_WEBHOOK: ${{ secrets.IDE_SLACK_WEBHOOK }}
           SLACK_COLOR: ${{ job.status }}
diff --git a/.github/workflows/release-gitpod-remote.yml b/.github/workflows/release-gitpod-remote.yml
@@ -7,9 +7,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # pin@v4
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # pin@v4
         with:
           node-version: 20
 
