◐ Shell
clean mode source ↗

[release/v7.5.6] [StepSecurity] ci: Harden GitHub Actions tags by daxian-dbw · Pull Request #27239 · PowerShell/PowerShell

daxian-dbw

Backport of #27201 to release/v7.5.6

Triggered by @daxian-dbw on behalf of @step-security-bot

Original CL Label: CL-BuildPackaging

/cc @PowerShell/powershell-maintainers

Impact

REQUIRED: Choose either Tooling Impact or Customer Impact (or both). At least one checkbox must be selected.

Tooling Impact

  • Required tooling change
  • Optional tooling change (include reasoning)

Pins GitHub Actions and setup action references to immutable commit SHAs in shared CI and workflow definitions on the release branch. This is a required tooling and supply-chain hardening update.

Customer Impact

  • Customer reported
  • Found internally

Regression

REQUIRED: Check exactly one box.

  • Yes
  • No

This is not a regression.

Testing

Cherry-pick completed on release/v7.5.6 after resolving workflow conflicts by preserving the release branch workflow structure and accepting the SHA-pinned action references from the original PR. Validation included checking that all conflict markers were removed and that the affected workflows now reference the pinned checkout, setup-dotnet, and github-script SHAs where applicable. Release branch CI will provide end-to-end verification.

Risk

REQUIRED: Check exactly one box.

  • High
  • Medium
  • Low

Medium risk because the change affects multiple shared CI workflow files and could expose latent workflow assumptions, but the modification is limited to pinning action references and keeps the existing release branch workflow behavior intact.

Merge Conflicts

Conflicts occurred in .github/workflows/copilot-setup-steps.yml, .github/workflows/labels.yml, .github/workflows/linux-ci.yml, .github/workflows/macos-ci.yml, .github/workflows/verify-markdown-links.yml, .github/workflows/windows-ci.yml, .github/workflows/windows-packaging-reusable.yml, and .github/workflows/xunit-tests.yml. Resolution: preserved the release/v7.5.6 workflow structure and accepted the SHA-pinned action references from PR #27201 for the conflicted uses entries.