Skip to content

CI: Hash-pin all actions #146488

New issue
New issue
Open
Open
CI: Hash-pin all actions#146488
Labels
infraCI, GitHub Actions, buildbots, Dependabot, etc.type-securityA security issue
@woodruffw

Description

@woodruffw
woodruffw
opened on Mar 26, 2026

(Sorry for using a blank issue for this! None of the other templates seemed exactly right.)

I'm proposing that CPython's CI switch to fully-hash-pinned GitHub Actions references. This is enforced by default via zizmor, but currently CPython's configuration relaxes that default here:

cpython/.github/zizmor.yml

Line 10 in 17070f4

"*": ref-pin

Doing so should be a non-breaking change: the versions resolved will be the same as before, and tools like Dependabot/Renovate/pinact will continue to be able to update any action references, including their hashes.

Ref: https://docs.zizmor.sh/audits/#unpinned-uses

CC @sethmlarson

Linked PRs

Metadata

Metadata

Assignees

No one assigned

    Labels

    infraCI, GitHub Actions, buildbots, Dependabot, etc.type-securityA security issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions