[llvm] [Github][CI] Hashpin actions dependencies (PR #127011)

via llvm-commits llvm-commits at lists.llvm.org
Wed Feb 12 20:36:32 PST 2025 

llvmbot wrote:


<!--LLVM PR SUMMARY COMMENT-->

@llvm/pr-subscribers-github-workflow

Author: Aiden Grossman (boomanaiden154)

<details>
<summary>Changes</summary>

This patch has pins several actions dependencies in the premerge workflow and the Windows/Linux container build workflows to help improve security in the unlikely event that someone tries to pull off a supply chain security attack by modifying release asserts for these actions.

---
Full diff: https://github.com/llvm/llvm-project/pull/127011.diff


3 Files Affected:

- (modified) .github/workflows/build-ci-container-windows.yml (+3-3) 
- (modified) .github/workflows/build-ci-container.yml (+3-3) 
- (modified) .github/workflows/premerge.yaml (+6-6) 


``````````diff
diff --git a/.github/workflows/build-ci-container-windows.yml b/.github/workflows/build-ci-container-windows.yml
index bba34066a97cd..068cb58301080 100644
--- a/.github/workflows/build-ci-container-windows.yml
+++ b/.github/workflows/build-ci-container-windows.yml
@@ -27,7 +27,7 @@ jobs:
       container-filename: ${{ steps.vars.outputs.container-filename }}
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci-windows
       - name: Write Variables
@@ -46,7 +46,7 @@ jobs:
         run: |
           docker save  ${{ steps.vars.outputs.container-name-tag }} >  ${{ steps.vars.outputs.container-filename }}
       - name: Upload container image
-        uses: actions/upload-artifact at v4
+        uses: actions/upload-artifact at 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: container
           path: ${{ steps.vars.outputs.container-filename }}
@@ -63,7 +63,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Download container
-        uses: actions/download-artifact at v4
+        uses: actions/download-artifact at fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: container
       - name: Push Container
diff --git a/.github/workflows/build-ci-container.yml b/.github/workflows/build-ci-container.yml
index 8272c8f6e266f..1921a3675166d 100644
--- a/.github/workflows/build-ci-container.yml
+++ b/.github/workflows/build-ci-container.yml
@@ -32,7 +32,7 @@ jobs:
             runs-on: depot-ubuntu-22.04-arm-16
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           sparse-checkout: .github/workflows/containers/github-action-ci/
       # podman is not installed by default on the ARM64 images.
@@ -66,7 +66,7 @@ jobs:
           podman save ${{ steps.vars.outputs.container-name-agent-tag }} > ${{ steps.vars.outputs.container-agent-filename }}
 
       - name: Upload container image
-        uses: actions/upload-artifact at v4
+        uses: actions/upload-artifact at 65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         with:
           name: container-${{ matrix.arch }}
           path: "*.tar"
@@ -90,7 +90,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Download container
-        uses: actions/download-artifact at v4
+        uses: actions/download-artifact at fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
 
       - name: Push Container
         run: |
diff --git a/.github/workflows/premerge.yaml b/.github/workflows/premerge.yaml
index 178ab191a58be..5ec6e8f40efaa 100644
--- a/.github/workflows/premerge.yaml
+++ b/.github/workflows/premerge.yaml
@@ -33,11 +33,11 @@ jobs:
     runs-on: llvm-premerge-linux-runners
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/ccache-action at v1.2.14
+        uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           max-size: "2000M"
       - name: Build and Test
@@ -94,11 +94,11 @@ jobs:
         shell: bash
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/ccache-action at v1.2.14
+        uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           variant: "sccache"
           max-size: "2000M"
@@ -153,11 +153,11 @@ jobs:
       (github.event_name != 'pull_request' || github.event.action != 'closed')
     steps:
       - name: Checkout LLVM
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 2
       - name: Setup ccache
-        uses: hendrikmuhs/ccache-action at v1.2.14
+        uses: hendrikmuhs/ccache-action at a1209f81afb8c005c13b4296c32e363431bffea5 # v1.2.17
         with:
           max-size: "2000M"
       - name: Install Ninja

``````````

</details>


https://github.com/llvm/llvm-project/pull/127011

More information about the llvm-commits mailing list