Skip to content

ci: pin all GitHub Actions to SHA hashes and update versions#1681

Open
ZeliardM wants to merge 1 commit intopython-kasa:masterfrom
ZeliardM:ci/pin-actions-to-sha
Open

ci: pin all GitHub Actions to SHA hashes and update versions#1681
ZeliardM wants to merge 1 commit intopython-kasa:masterfrom
ZeliardM:ci/pin-actions-to-sha

Conversation

@ZeliardM
Copy link
Copy Markdown
Contributor

@ZeliardM ZeliardM commented Apr 6, 2026
edited
Loading

Summary

Pin all GitHub Actions to full SHA commit hashes for improved supply chain security, following GitHub's recommendation. Version tags are preserved as inline comments for readability.

Version upgrades

  • actions/cache: v4 → v5 (v5.0.4)
  • codecov/codecov-action: v5 → v6 (v6.0.0, adds node24 support)

SHA pinning (no version change)

Action Version SHA
actions/checkout v6 de0fac2e
actions/setup-python v6 a309ff8b
actions/cache v5 66822842
actions/stale v10 b5d41d4e
astral-sh/setup-uv v7 37802adc
codecov/codecov-action v6.0.0 57e3a136
github/codeql-action v4 c10b8064
pypa/gh-action-pypi-publish release/v1 ed0c5393

CodeQL enhancement

  • Enable CODEQL_ACTION_FILE_COVERAGE_ON_PRS: true to show file-level coverage info in PR checks

Files changed

  • .github/workflows/ci.yml
  • .github/workflows/codeql-analysis.yml
  • .github/workflows/publish.yml
  • .github/workflows/stale.yml
  • .github/actions/setup/action.yaml

Merge order

This is PR 2 of 9 in the test modernization series. Independent of other PRs (no file overlaps).

Order PR Scope
1 #1677 Tests: cleanup and fixes
2 #1681 CI: pin GitHub Actions to SHA
3 #1682 Docs: modernize docstrings
4 #1683 Tests: centralize session cleanup
5 #1684 Tests: transport type annotations
6 #1685 Tests: IoT type annotations
7 #1686 Tests: Smart type annotations
8 #1687 Tests: CLI/protocols/smartcam type annotations
9 #1688 Tests: top-level type annotations

Verification

  • All pre-commit hooks pass
  • Full test suite passes after sequential merge of all 9 PRs (10,656 passed, 194 skipped)

Copilot AI review requested due to automatic review settings April 6, 2026 16:34
Copilot AI reviewed Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins GitHub Actions to full commit SHAs to harden the CI supply chain, while upgrading select actions (cache + Codecov) to newer major versions.

Changes:

  • Pin all referenced GitHub Actions in workflows and the composite setup action to full commit SHAs (with version tags kept as comments).
  • Upgrade actions/cache from v4 → v5 (in the composite setup action).
  • Upgrade codecov/codecov-action from v5 → v6.0.0 (in CI workflow).

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/workflows/ci.yml Pins actions/checkout and upgrades/pins Codecov action to a SHA.
.github/workflows/codeql-analysis.yml Pins actions/checkout and CodeQL init/analyze actions to SHAs.
.github/workflows/publish.yml Pins checkout, uv setup, python setup, and PyPI publish actions to SHAs.
.github/workflows/stale.yml Pins actions/stale to a SHA in both stale policy steps.
.github/actions/setup/action.yaml Pins uv/python setup actions and upgrades/pins actions/cache to v5 SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 6, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.22%. Comparing base (76d9f68) to head (94e06bb).

Additional details and impacted files 
@@           Coverage Diff           @@
##           master    #1681   +/-   ##
=======================================
  Coverage   93.22%   93.22%           
=======================================
  Files         157      157           
  Lines        9815     9815           
  Branches     1003     1003           
=======================================
  Hits         9150     9150           
  Misses        472      472           
  Partials      193      193

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ZeliardM ZeliardM force-pushed the ci/pin-actions-to-sha branch from 5187fba to 94e06bb Compare April 6, 2026 16:54
@ZeliardM
ci: pin all GitHub Actions to SHA hashes and update versions
94e06bb 
- Pin all actions to full SHA commit hashes for supply chain security
- Upgrade actions/cache from v4 to v5
- Upgrade codecov/codecov-action from v5 to v6.0.0 (node24 support)
- Version tags preserved as inline comments for easy readability

Actions pinned:
  actions/checkout@v6 (de0fac2)
  actions/setup-python@v6 (a309ff8)
  actions/cache@v5 (6682284) [upgraded from v4]
  actions/stale@v10 (b5d41d4)
  astral-sh/setup-uv@v7 (37802ad)
  codecov/[email protected] (57e3a13) [upgraded from v5]
  github/codeql-action@v4 (c10b806)
  pypa/gh-action-pypi-publish@release/v1 (ed0c539)
@ZeliardM
Copy link
Copy Markdown
Contributor Author

ZeliardM commented Apr 6, 2026

@rytilahti Here is the updated CI PR you asked for with SHA pinning and updated versions across the repository.

This was referenced Apr 7, 2026
Open
Open
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ZeliardM