Conversation
Pin peter-evans/create-pull-request to SHA in bump action (missed by oven-sh#28616), and replace all `bun install` with `bun ci` in CI workflows to enforce frozen lockfile.
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
WalkthroughUpdated multiple GitHub Actions workflows to use Changes
🚥 Pre-merge checks | ✅ 2✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
Hardens CI supply chain by (1) making a previously tag-pinned third-party action immutable via SHA pinning and (2) preventing lockfile drift during CI installs by switching workflows from bun install to bun ci.
Changes:
- Pin
peter-evans/create-pull-request@v7to a full commit SHA in the internal.github/actions/bumpcomposite action. - Replace
bun installwithbun ciacross CI/release workflows to enforce frozen lockfile behavior. - Update VS Code extension publish workflow to use
bun cifor dependency installs (including inspector protocol build step).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/vscode-release.yml | Switch dependency installs to bun ci for VS Code extension publishing flow |
| .github/workflows/release.yml | Replace bun install with bun ci in multiple release jobs |
| .github/workflows/packages-ci.yml | Use bun ci for root + package dependency installs in packages CI |
| .github/workflows/format.yml | Enforce frozen installs via bun ci in formatting workflow |
| .github/actions/bump/action.yml | SHA-pin peter-evans/create-pull-request invocation inside internal bump action |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| with: | ||
| bun-version: "1.2.3" | ||
| - name: Install Dependencies | ||
| run: bun install | ||
| run: bun ci | ||
| - name: Sign Release |
There was a problem hiding this comment.
release.yml still references peter-evans/create-pull-request by mutable tag (@v7) later in the workflow (e.g., the DefinitelyTyped PR step). Since this PR is hardening CI supply chain, consider SHA-pinning that remaining usage as well (and keeping the # v7 comment) so the workflow is consistently protected against tag-rewrite compromises.
There was a problem hiding this comment.
didn't want to step on #28616 toes (see description)
Summary
Pin third-party GitHub Action to SHA and enforce frozen lockfiles in CI workflows, complementing #28616.
Changes Made (CI Fixes)
peter-evans/create-pull-request@v7to commit SHA in.github/actions/bump/action.yml(missed by fix: pin 28 actions to commit SHA, extract 1 expressions to env vars #28616)bun installwithbun ciacross 4 workflow files (release.yml,format.yml,packages-ci.yml,vscode-release.yml) to prevent lockfile drift in CI.bun ciis equivalent tobun install --frozen-lockfileand is recommended by Bun for CI/CD environments.Recommendations
cooldownsetting, or Renovate withminimumReleaseAge— no automated dependency update tooling is currently configureddocker/*actions to SHA inrelease.ymlruby/setup-rubyto SHA inrelease.ymlgetsentry/action-releaseto SHA inrelease.ymloven-sh/setup-bunto SHA inupdate-root-certs.ymlandupdate-vendor.ymlWhy This Matters
GitHub Actions tag references are mutable
When a workflow references an action by tag (e.g.,
actions/checkout@v4), the tag can be moved to point to a different commit at any time — by the maintainer, or by an attacker who compromises the repository. SHA pinning makes the reference immutable.Real-world incidents:
Unfrozen lockfiles in CI enable dependency confusion
Without
--frozen-lockfile(orbun ci), a CI install can silently resolve newer package versions than what's in the lockfile. If an attacker publishes a compromised version of a dependency, CI would pick it up on the next run.Real-world incidents: