Pin actions/setup-python to a hash#378
Conversation
GitHub has recently added support for requiring pinning hashes in actions (https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/). This is more secure - tags can be changed - and prevents CI from breaking on a bad update. The policy applies transitively to all used actions, which breaks this action when the policy is enabled (https://github.com/astral-sh/uv/actions/runs/17008660079/job/48221734296). This PR switches to using a hash for the action. If desired, renovate can be configured to update the hash (`pinDigests: true`)
| # v5.6.0 | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 |
There was a problem hiding this comment.
The style that's also used by renovated is having the version comment on the same line as the hash, but then yamllint complains that the line is too long:
| # v5.6.0 | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 | |
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 |
There was a problem hiding this comment.
dependabot also uses this style and will update the comment if it updates the hash
is there a way to silence the lint?
There was a problem hiding this comment.
is there a way to silence the lint?
yamllint has a mechanism for ignores.
There was a problem hiding this comment.
@konstin I had some success with # yamllint disable-line rule:line-length in the past could you try appending it? Let's have the inline version comment because Dependabot would understand that. If it doesn't work, there's also a way to disable and then re-enable the rule.
|
Is there any progress on this? It seems that local forks of this repo can't be accessed by the runners by default, so this PR would be a huge help |
| # v5.6.0 | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 |
There was a problem hiding this comment.
dependabot also uses this style and will update the comment if it updates the hash
is there a way to silence the lint?
webknjaz
left a comment
webknjaz
left a comment
There was a problem hiding this comment.
@konstin thanks for letting me know about the new setting!
In general, I don't like the pinning bots because they are very noisy (this is especially noticable when you get notifications from hundreds of projects). It might feel different to people only maintaining one thing, though.
That said, I've been thinking how to tackle the pinning problem in GHA (especially given my interest in community-shareable reusable workflows). I don't know if Renovate is able to be less noisy than Dependabot but perhaps it's worth a try.
I'm inclined to make use of https://github.com/davidism/gha-update instead, though. With that, I'd run pinning as a part of the release process and keep the rolling branches unpinned.
This would require some automation/infra effort so I'm thinking of making a one-time exception just this once and reverting it later.
| # v5.6.0 | ||
| uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 |
There was a problem hiding this comment.
@konstin I had some success with # yamllint disable-line rule:line-length in the past could you try appending it? Let's have the inline version comment because Dependabot would understand that. If it doesn't work, there's also a way to disable and then re-enable the rule.
|
By the way, does this need a release or would people be able to point to a SHA on a branch? I know this works, just don't know how it'd play with the new policy checks. Does anybody know? |
I've run into issues pulling a SHA from a branch, it seems like the runners aren't able to pull specific hashes without an associated release. I believe there are workarounds if you check out the branch separately, but a release would be ideal. |
Renovate has vast flexibility in configuration options, we can configure to any cadence and any grouping. They have a page dedicated to reducing noise in their docs: https://docs.renovatebot.com/noise-reduction/. I can help with an initial renovate config, but this is ultimately a decision for the repo maintainers (and I can't PR adding the renovate app) |
|
@konstin thanks! But that wouldn't facilitate my preference of keeping the |
|
Renovate can make PRs on a cron schedule to merge into that branch, is there any specific interaction with the unpinning? |
) Use a version of the GitHub Action that uses a pinned hash, to fix the publish test. See #15324 and pypa/gh-action-pypi-publish#378 for details.
5 participants
GitHub has recently added support for requiring pinning hashes in actions (https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/, https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions). This is more secure - tags can be modified - and prevents CI from breaking on a bad update.
The policy applies transitively to all used actions, which breaks this action when the policy is enabled (https://github.com/astral-sh/uv/actions/runs/17008660079/job/48221734296). This PR switches to using a hash for the action, solving this.
If desired, renovate can be configured to update the hash in regular intervals (
pinDigests: true)