Skip to content

chore: Pin GitHub Actions to commit SHA #4562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alexsohn1126 merged 30 commits into from
Oct 6, 2025
Merged

chore: Pin GitHub Actions to commit SHA #4562

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
c514f59
Pin Sentry-related Actions to Commit-SHA
alexsohn1126 Sep 24, 2025
de80ff4
Pin other GitHub actions to commits
alexsohn1126 Sep 24, 2025
5e0a0d5
remove unnecessary comments
alexsohn1126 Sep 24, 2025
dbaceb1
fix anchoring issues
alexsohn1126 Sep 24, 2025
3c4b036
fix anchoring references
alexsohn1126 Sep 24, 2025
f504066
update CHANGELOG.md
alexsohn1126 Sep 24, 2025
4782b69
update git hashes (sorry i trusted claude code :( )
alexsohn1126 Sep 25, 2025
b53c34e
fix yaml
alexsohn1126 Sep 25, 2025
c9a7232
comment long versions and stylistic changes
alexsohn1126 Sep 25, 2025
cbc4143
add commonly used actions with commit SHAs
alexsohn1126 Sep 26, 2025
8a116d5
Make workflows use our commit SHA-pinned actions
alexsohn1126 Sep 26, 2025
be04cff
fix build.yml
alexsohn1126 Sep 26, 2025
468d1a1
update changelog
alexsohn1126 Sep 26, 2025
d657eb9
delete checkout local action
alexsohn1126 Sep 26, 2025
5599262
dont use anchors
alexsohn1126 Sep 26, 2025
8bc2756
add output to cache action
alexsohn1126 Sep 26, 2025
1aaaa72
update buildnative action to use local cache action
alexsohn1126 Sep 29, 2025
6681d41
remove local action wrappers
alexsohn1126 Sep 29, 2025
0253a65
remove unused upload-artifact local action
alexsohn1126 Sep 29, 2025
273049f
revert version comment removal from github-workflows
alexsohn1126 Sep 29, 2025
c334e1e
revert github-workflow comment removes
alexsohn1126 Sep 29, 2025
5a77ef1
Update .github/workflows/danger.yml
alexsohn1126 Sep 29, 2025
ccf2a87
Update .github/workflows/update-deps.yml
alexsohn1126 Sep 29, 2025
076ec19
fix version comments on SHA-pinned actions
alexsohn1126 Sep 29, 2025
8ba0384
fix tag names in styfle
alexsohn1126 Sep 29, 2025
4783fed
fix codeql versions
alexsohn1126 Sep 29, 2025
bad4558
pin other actions using tags to commit SHAs
alexsohn1126 Oct 1, 2025
4161a67
fix missing/vague version comments
alexsohn1126 Oct 1, 2025
6e09784
pin buildnative cache action to v3.5.0
alexsohn1126 Oct 1, 2025
c3950f0
Merge branch 'main' into alexsohn/chore/use-commit-sha-for-github-act…
alexsohn1126 Oct 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions .github/workflows/alpine.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,18 @@ jobs:
packages: write

steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

- uses: docker/login-action@v3
- uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: docker/setup-qemu-action@v3
- uses: docker/setup-buildx-action@v3
- uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

- uses: docker/build-push-action@v6
- uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
push: true
platforms: linux/amd64,linux/arm64
Expand Down
72 changes: 45 additions & 27 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,24 @@ on:
workflow_dispatch:

jobs:
# This job won't actually run, it just defines reusable anchors
_common:
if: false # prevents execution
runs-on: ubuntu-latest
steps:
- &checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Comment thread
alexsohn1126 marked this conversation as resolved.
Outdated
- &cache
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
- &cache-restore
uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
- &upload-artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- &download-artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
- &sentry-github-workflow
uses: getsentry/github-workflows/sentry-cli/integration-test/@a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1

build-sentry-native:
name: sentry-native (${{ matrix.rid }})
runs-on: ${{ matrix.os }}
Comment thread
seer-by-sentry[bot] marked this conversation as resolved.
Expand Down Expand Up @@ -48,7 +66,7 @@ jobs:
curl -sSL https://raw.githubusercontent.com/${{ github.repository }}/${{ github.sha }}/.github/alpine/setup-node.sh | sudo bash /dev/stdin

- name: Checkout
uses: actions/checkout@v5
<<: *checkout

- run: git submodule update --init modules/sentry-native

Expand All @@ -57,8 +75,8 @@ jobs:
- name: Install zstd on Windows ARM64
uses: ./.github/actions/install-zstd

- uses: actions/cache@v4
id: cache
- id: cache
<<: *cache
with:
Comment thread
alexsohn1126 marked this conversation as resolved.
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-${{ matrix.rid }}-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
Expand Down Expand Up @@ -124,8 +142,8 @@ jobs:
if: github.ref_name != 'main' && !startsWith(github.ref_name, 'release/')
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # Tag: 0.12.1

- name: Checkout
uses: actions/checkout@v5
- <<: *checkout
name: Checkout
with:
submodules: recursive
fetch-depth: 2 # default is 1 and codecov needs > 1
Expand All @@ -144,47 +162,47 @@ jobs:

- name: Download sentry-native (linux-x64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'linux-x64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-linux-x64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
fail-on-cache-miss: true

- name: Download sentry-native (linux-arm64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'linux-arm64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-linux-arm64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
fail-on-cache-miss: true

- name: Download sentry-native (linux-musl-x64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'linux-musl-x64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-linux-musl-x64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
fail-on-cache-miss: true

- name: Download sentry-native (linux-musl-arm64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'linux-musl-arm64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-linux-musl-arm64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
fail-on-cache-miss: true

- name: Download sentry-native (macos)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'macos') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-macos-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
fail-on-cache-miss: true

- name: Download sentry-native (win-x64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'win-x64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-win-x64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
Expand All @@ -193,7 +211,7 @@ jobs:

- name: Download sentry-native (win-arm64)
if: ${{ (env.CI_PUBLISHING_BUILD == 'true') || (matrix.rid == 'win-arm64') }}
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-win-arm64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
Expand All @@ -213,7 +231,7 @@ jobs:

- name: Upload build logs
if: ${{ always() }}
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: ${{ matrix.rid }}-build-logs
path: |
Expand All @@ -231,7 +249,7 @@ jobs:

- name: Upload build and test outputs
if: failure()
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: ${{ matrix.rid }}-verify-test-results
path: "**/*.received.*"
Expand All @@ -241,7 +259,7 @@ jobs:

- name: Archive NuGet Packages
if: env.CI_PUBLISHING_BUILD == 'true'
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: ${{ github.sha }}
if-no-files-found: error
Expand All @@ -251,7 +269,7 @@ jobs:

- name: Sparse checkout
if: env.CI_PUBLISHING_BUILD == 'true'
uses: actions/checkout@v5
<<: *checkout
with:
# We only check out what is absolutely necessary to reduce a chance of local files impacting
# integration tests, e.g. Directory.Build.props, nuget.config, ...
Expand All @@ -261,13 +279,13 @@ jobs:

- name: Fetch NuGet Packages
if: env.CI_PUBLISHING_BUILD == 'true'
uses: actions/download-artifact@v5
<<: *download-artifact
with:
name: ${{ github.sha }}
path: src

- name: Integration test
uses: getsentry/github-workflows/sentry-cli/integration-test/@a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1
<<: *sentry-github-workflow
with:
path: integration-test

Expand All @@ -278,12 +296,12 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v5
<<: *checkout
with:
submodules: recursive

- name: Download sentry-native (win-x64)
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-win-x64-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
Expand All @@ -305,7 +323,7 @@ jobs:

- name: Upload logs
if: ${{ always() }}
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: ${{ runner.os }}-msbuild-logs
path: |
Expand All @@ -331,7 +349,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v5
<<: *checkout
with:
submodules: recursive

Expand All @@ -342,13 +360,13 @@ jobs:
uses: ./.github/actions/buildnative

- name: Fetch NuGet Packages
uses: actions/download-artifact@v5
<<: *download-artifact
with:
name: ${{ github.sha }}
path: src

- name: Test AOT
uses: getsentry/github-workflows/sentry-cli/integration-test/@a5e409bd5bad4c295201cdcfe862b17c50b29ab7 # v2.14.1
<<: *sentry-github-workflow
env:
RuntimeIdentifier: ${{ matrix.rid }}
with:
Expand All @@ -361,7 +379,7 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v5
<<: *checkout
with:
submodules: recursive
fetch-depth: 2 # default is 1 and codecov needs > 1
Expand All @@ -371,7 +389,7 @@ jobs:
run: echo "CI_PUBLISHING_BUILD=true" >> $GITHUB_ENV

- name: Download sentry-native (macos)
uses: actions/cache/restore@v4
<<: *cache-restore
with:
path: src/Sentry/Platforms/Native/sentry-native
key: sentry-native-macos-${{ hashFiles('scripts/build-sentry-native.ps1') }}-${{ hashFiles('.git/modules/modules/sentry-native/HEAD') }}
Expand Down Expand Up @@ -400,7 +418,7 @@ jobs:
if: ${{ !startsWith(github.ref_name, 'release/') }}

steps:
- uses: actions/checkout@v5
- <<: *checkout
with:
submodules: recursive

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # Tag: 0.12.1

- name: Checkout repository
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
Comment thread
alexsohn1126 marked this conversation as resolved.
with:
submodules: recursive

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/danger.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ on:

jobs:
danger:
uses: getsentry/github-workflows/.github/workflows/danger.yml@v2
uses: getsentry/github-workflows/.github/workflows/danger.yml@1949ea01ec2da6139d1bcc306c372e6aea76fb72 # v2
Comment thread
alexsohn1126 marked this conversation as resolved.
Outdated
22 changes: 17 additions & 5 deletions .github/workflows/device-tests-android.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,18 @@ on:
workflow_dispatch:

jobs:
# This job won't actually run, it just defines reusable anchors
_common:
if: false # prevents execution
runs-on: ubuntu-latest
steps:
- &checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- &upload-artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
- &download-artifact
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0

Comment thread
seer-by-sentry[bot] marked this conversation as resolved.
Outdated
build:
name: Build (${{ matrix.tfm }})
runs-on: ubuntu-latest
Expand All @@ -27,7 +39,7 @@ jobs:
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # Tag: 0.12.1

- name: Checkout
uses: actions/checkout@v5
<<: *checkout
with:
submodules: recursive

Expand All @@ -42,7 +54,7 @@ jobs:

- name: Upload Android Test App (net9.0)
if: matrix.tfm == 'net9.0'
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: device-test-android-net9.0
if-no-files-found: error
Expand Down Expand Up @@ -80,10 +92,10 @@ jobs:
sudo udevadm trigger --name-match=kvm

- name: Checkout
uses: actions/checkout@v5
<<: *checkout

- name: Download test app artifact
uses: actions/download-artifact@v5
<<: *download-artifact
with:
name: device-test-android-${{ matrix.tfm }}
path: bin
Expand Down Expand Up @@ -126,7 +138,7 @@ jobs:

- name: Upload results
if: success() || failure()
uses: actions/upload-artifact@v4
<<: *upload-artifact
with:
name: device-test-android-${{ matrix.api-level }}-${{ matrix.tfm }}-results
path: test_output
14 changes: 12 additions & 2 deletions .github/workflows/device-tests-ios.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,16 @@ on:
workflow_dispatch:

jobs:
# This job won't actually run, it just defines reusable anchors
_common:
if: false # prevents execution
runs-on: ubuntu-latest
steps:
- &checkout
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- &upload-artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

ios-tests:
runs-on: macos-15
env:
Expand All @@ -24,7 +34,7 @@ jobs:
uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # Tag: 0.12.1
Comment thread
alexsohn1126 marked this conversation as resolved.
Outdated

- name: Checkout
uses: actions/checkout@v5
<<: *checkout
with:
submodules: recursive

Expand All @@ -45,7 +55,7 @@ jobs:

- name: Upload results
if: success() || failure()
uses: actions/upload-artifact@v4
<<: *upload-artifact
Comment thread
alexsohn1126 marked this conversation as resolved.
Outdated
with:
name: device-test-ios-results
path: test_output
2 changes: 1 addition & 1 deletion .github/workflows/format-code.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
runs-on: macos-15
steps:
- name: Checkout
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
submodules: recursive

Expand Down
Loading
Loading