[CI] Pin actions by version tag, trim wheel perms#19703
Conversation
Convert SHA-pinned third-party actions to their full version tags across all workflows and composite actions; each tag verified to resolve to the same commit that was pinned. Drop the unused actions:read / contents:read permissions from the upload_pypi job (aligns with apache/tvm-ffi). No behavior change.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request replaces full-length commit SHA pinning with mutable version tags for several GitHub Actions in the workflow files. The reviewer advises against this change, highlighting that pinning actions by their immutable commit SHA is a security best practice to prevent supply chain attacks, and recommends retaining the SHA-pinned references.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| # ---- Cache LLVM prefix ---- | ||
| - name: Cache LLVM | ||
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | ||
| uses: actions/cache@v5.0.5 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5| - name: Setup conda | ||
| if: steps.llvm-cache.outputs.cache-hit != 'true' | ||
| uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1 | ||
| uses: conda-incubator/setup-miniconda@v4.0.1 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1| - name: Setup conda (retry with tar.bz2) | ||
| if: steps.llvm-cache.outputs.cache-hit != 'true' && steps.conda1.outcome == 'failure' | ||
| uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1 | ||
| uses: conda-incubator/setup-miniconda@v4.0.1 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1| # ---- Build and test wheels ---- | ||
| - name: Build and test wheels | ||
| uses: pypa/cibuildwheel@298ed2fb2c105540f5ed055e8a6ad78d82dd3a7e # v3.3.1 | ||
| uses: pypa/cibuildwheel@v3.3.1 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
uses: pypa/cibuildwheel@298ed2fb2c105540f5ed055e8a6ad78d82dd3a7e # v3.3.1| using: "composite" | ||
| steps: | ||
| - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 | ||
| - uses: actions/cache@v5.0.5 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
- uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5| path: ~/conda_pkgs_dir | ||
| key: ${{ runner.os }}-conda-${{ env.CACHE_NUMBER }}-${{ hashFiles('ci/scripts/package/build-environment.yaml') }} | ||
| - uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1 | ||
| - uses: conda-incubator/setup-miniconda@v4.0.1 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
- uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1| condarc-file: tests/conda/condarc | ||
| conda-remove-defaults: true | ||
| - uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1 | ||
| - uses: conda-incubator/setup-miniconda@v4.0.1 |
There was a problem hiding this comment.
Pinning third-party actions by a full-length commit SHA is a security best practice recommended by GitHub. Unlike tags, which are mutable and can be updated or spoofed to point to malicious code, commit SHAs are immutable. Reverting from SHA pinning to version tags increases the risk of supply chain attacks. It is highly recommended to retain the SHA-pinned reference and use an inline comment to document the human-readable version tag.
- uses: conda-incubator/setup-miniconda@8ee1f361103df19b6f8c8655fd3967a8ecb162d5 # v4.0.1
Convert SHA-pinned third-party actions to their full version tags across all workflows and composite actions; each tag verified to resolve to the same commit that was pinned. Drop the unused actions:read / contents:read permissions from the upload_pypi job (aligns with apache/tvm-ffi). No behavior change. (cherry picked from commit 47ddef8)
Convert SHA-pinned third-party actions to their full version tags across all workflows and composite actions; each tag verified to resolve to the same commit that was pinned. Drop the unused actions:read / contents:read permissions from the upload_pypi job (aligns with apache/tvm-ffi). No behavior change. (cherry picked from commit 47ddef8)
3 participants
Convert SHA-pinned third-party actions to their full version tags across all workflows and composite actions; each tag verified to resolve to the same commit that was pinned.
Drop the unused actions:read / contents:read permissions from the upload_pypi job (aligns with apache/tvm-ffi). No behavior change.