chore: Update GitHub Actions versions and pin to commit SHAs#14715
chore: Update GitHub Actions versions and pin to commit SHAs#14715Stensel8 wants to merge 8 commits intosignalapp:mainfrom
Conversation
- Bump action versions to current releases: checkout v4→v6, setup-java v3/v4→v5 (android.yml, diffuse.yml), upload-artifact v4→v7, cache v4→v5, wrapper-validation v5→v6 - Pin all actions to specific commit SHAs to prevent supply-chain attacks: diffuse-action, find-comment, create-or-update-comment, stale, checkout, setup-java, upload-artifact, cache, wrapper-validation - Remove outdated 3G reference in README (WiFi/3G/4G/5G → WiFi/4G/5G)
|
@greyson-signal, the Copyright year also needs a bump to 2026. Could you explain why the previous attempt/PR to do so, has been closed? Would love to help out one of my favourite projects. |
|
This is nice, and I've re-verified that I got the same hashes. Will go out in our next release, thanks! |
|
As a small addition to this PR, I've also included a Once this PR is merged, Dependabot will automatically open weekly PRs to keep all GitHub Actions up to date — including the SHA pinning introduced here. It will update both the commit SHA and the inline version comment (e.g. Actions are grouped by organisation ( Hope this is useful to the team! |
Stensel8
changed the title
Bumps the actions group with 1 update: [actions/cache](https://github.com/actions/cache). Updates `actions/cache` from 5.0.4 to 5.0.5 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
…-20de5e3257 ci: bump actions/cache from 5.0.4 to 5.0.5 in the actions group across 1 directory
|
FWIW, I've also confirmed the hashes point to the expected commits. |
4 participants
First time contributor checklist
Contributor checklist
Fixes #1234syntaxDescription
Maintenance PR - no app code changed, only
.github/workflows/,.github/dependabot.yml, andREADME.md.Pin all GitHub Actions to commit SHAs to prevent supply-chain attacks (a compromised mutable tag would otherwise silently execute arbitrary code in CI). Each pinned SHA is documented with the
ghcommand used to obtain it:Bump action versions to current stable releases:
actions/checkoutv4 → v6actions/setup-javav3/v4 → v5actions/upload-artifactv4 → v7actions/cachev4 → v5gradle/actions/wrapper-validationv5 → v6peter-evans/find-commentv2 → v4peter-evans/create-or-update-commentv3 → v5README: removed outdated 3G reference (
WiFi/3G/4G/5G→WiFi/4G/5G).Add
.github/dependabot.ymlto automate future SHA-pin updates. Once merged, Dependabot will open weekly PRs that update both the SHA and the inline version comment (e.g.# v6) whenever a new release of a used action is published — so the SHA pinning you see in this PR will stay current automatically, without any manual work. Actions are grouped by organisation (actions/*,gradle/*,peter-evans/*) to keep the update PRs tidy.