Background
Split out from review of #34 (PR-preview/publish family). The automated reviewer flagged that third-party actions used by the new preview workflows are referenced by mutable major-version tags rather than pinned commit SHAs:
rossjrw/pr-preview-action@v1 (preview-deploy.yml)marocchino/sticky-pull-request-comment@v3 (preview-deploy.yml)browser-actions/setup-chrome@v1 (preview/action.yml)
The deploy job runs in the base-repo context with contents: write + pull-requests: write, so a tag-overwrite or upstream compromise there would have real impact. SHA-pinning (with the version in a trailing comment) removes that mutable-tag risk.
Why this is a separate issue, not part of #34
This is not unique to the preview family — it's the repo's established convention everywhere. Every third-party action in the repo today is on a major tag:
actions/checkout@v4 / @v5
actions/download-artifact@v4
actions/setup-python@v5
actions/ai-inference@v1
anthropics/claude-code-action@v1
lycheeverse/lychee-action@v2
marocchino/sticky-pull-request-comment@v3
quarto-dev/quarto-actions/setup@v2
r-lib/actions/*@v2
rossjrw/pr-preview-action@v1
Pinning only the three actions in #34 to SHAs would make the preview family inconsistent with the other ~12 workflows/actions. SHA-pinning is worth doing, but it should be applied uniformly across the repo in a dedicated PR so the policy is consistent and reviewable in one place.
Proposed approach
- Pin all third-party (non-
actions/*, or optionally all) uses: references to commit SHAs with a # vX.Y.Z trailing comment.
- Adopt a tool to keep them current and reviewable — e.g.
pin-github-action or Dependabot's github-actions ecosystem (which understands SHA-pinned uses: and proposes bumps).
- Decide whether to pin first-party
actions/* too, or only external authors.
References
Background
Split out from review of #34 (PR-preview/publish family). The automated reviewer flagged that third-party actions used by the new preview workflows are referenced by mutable major-version tags rather than pinned commit SHAs:
rossjrw/pr-preview-action@v1(preview-deploy.yml)marocchino/sticky-pull-request-comment@v3(preview-deploy.yml)browser-actions/setup-chrome@v1(preview/action.yml)The
deployjob runs in the base-repo context withcontents: write+pull-requests: write, so a tag-overwrite or upstream compromise there would have real impact. SHA-pinning (with the version in a trailing comment) removes that mutable-tag risk.Why this is a separate issue, not part of #34
This is not unique to the preview family — it's the repo's established convention everywhere. Every third-party action in the repo today is on a major tag:
Pinning only the three actions in #34 to SHAs would make the preview family inconsistent with the other ~12 workflows/actions. SHA-pinning is worth doing, but it should be applied uniformly across the repo in a dedicated PR so the policy is consistent and reviewable in one place.
Proposed approach
actions/*, or optionally all)uses:references to commit SHAs with a# vX.Y.Ztrailing comment.pin-github-actionor Dependabot'sgithub-actionsecosystem (which understands SHA-pinneduses:and proposes bumps).actions/*too, or only external authors.References