🔒 Pin GitHub Actions to commit SHAs by paulinebm · Pull Request #424 · huggingface/kernels

paulinebm · 2026-04-02T09:37:31Z

🔒 Pin GitHub Actions to commit SHAs

This PR pins all GitHub Actions to their exact commit SHA instead of mutable tags or branch names.

Why?
Pinning to a SHA prevents supply chain attacks where a tag (e.g. v4) could be moved to point to malicious code.

Changes

Workflow	Action	Avant	Après	SHA
`kernel_abi_python_release.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`kernel_abi_python_release.yaml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`kernel_abi_python_release.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`kernel_abi_python_release.yaml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`kernel_abi_python_release.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`kernel_abi_python_release.yaml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`kernel_abi_python_release.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`kernel_abi_python_release.yaml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`kernel_abi_python_release.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`kernel_abi_python_release.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`kernel_abi_python_release.yaml`	`actions/download-artifact`	`v7`	`v7`	`37930b1c2aba…`
`kernel_abi_python_release.yaml`	`actions/attest-build-provenance`	`v3`	`v3`	`977bb373ede9…`
`kernel_abi_python_release.yaml`	`PyO3/maturin-action`	`v1`	`v1`	`04ac600d27cd…`
`test_kernels.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`test_kernels.yaml`	`astral-sh/setup-uv`	`v7`	`v7`	`37802adc94f3…`
`build_kernel.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`build_kernel.yaml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`build_kernel.yaml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`build_kernel.yaml`	`actions/download-artifact`	`v7`	`v7`	`37930b1c2aba…`
`lint.yml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`lint.yml`	`astral-sh/ruff-action`	`v3`	`v3`	`4919ec5cf1f4…`
`lint.yml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`lint.yml`	`astral-sh/setup-uv`	`v7`	`v7`	`37802adc94f3…`
`lint.yml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`lint.yml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`build_documentation.yaml`	`huggingface/doc-builder/.github/workflows/build_main_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`build_pr_documentation.yaml`	`huggingface/doc-builder/.github/workflows/build_pr_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`upload_pr_documentation.yaml`	`huggingface/doc-builder/.github/workflows/upload_pr_documentation.yml`	`main`	`main`	`90b4ee2c10b8…`
`publish_kernels.yml`	`actions/checkout`	`v6`	`v6.0.2`	`de0fac2e4500…`
`publish_kernels.yml`	`actions/setup-python`	`v6`	`v6`	`a309ff8b426b…`
`publish_kernels.yml`	`actions/upload-artifact`	`v6`	`v6`	`b7c566a772e6…`
`publish_kernels.yml`	`actions/download-artifact`	`v7`	`v7`	`37930b1c2aba…`
`publish_kernels.yml`	`pypa/gh-action-pypi-publish`	`release/v1`	`release/v1`	`ed0c53931b1d…`
`publish_kernels.yml`	`actions/download-artifact`	`v7`	`v7`	`37930b1c2aba…`
`publish_kernels.yml`	`sigstore/gh-action-sigstore-python`	`v3.2.0`	`v3.2.0`	`a5caf349bc53…`
`publish_kernels.yml`	`actions/download-artifact`	`v7`	`v7`	`37930b1c2aba…`
`publish_kernels.yml`	`pypa/gh-action-pypi-publish`	`release/v1`	`release/v1`	`ed0c53931b1d…`

🤖 Generated by /github-actions-audit — [security/pin-actions-to-sha]

Closes huggingface/tracking-issues#157

paulinebm added 8 commits April 2, 2026 11:37

🔒 pin kernel_abi_python_release.yaml actions to commit SHAs

ec96706

🔒 pin test_kernels.yaml actions to commit SHAs

847b6a8

🔒 pin build_kernel.yaml actions to commit SHAs

9d128cf

🔒 pin lint.yml actions to commit SHAs

d3eb9b9

🔒 pin build_documentation.yaml actions to commit SHAs

e8f3757

🔒 pin build_pr_documentation.yaml actions to commit SHAs

92ca79d

🔒 pin upload_pr_documentation.yaml actions to commit SHAs

ffa383a

🔒 pin publish_kernels.yml actions to commit SHAs

2facd60

paulinebm temporarily deployed to testpypi April 2, 2026 09:37 — with GitHub Actions Inactive

paulinebm marked this pull request as ready for review April 2, 2026 12:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🔒 Pin GitHub Actions to commit SHAs#424

🔒 Pin GitHub Actions to commit SHAs#424
paulinebm wants to merge 8 commits intomainfrom
security/pin-actions-to-sha

paulinebm commented Apr 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

paulinebm commented Apr 2, 2026