Description
The Daily Health Check workflow was failing for 3 days due to invalid SHA pins for GitHub Actions.
Root Cause
The SHA pin c7d193f32edcb7bfad88892161225aeda64e9392 used for actions/upload-artifact and actions/download-artifact was invalid/expired.
Affected Workflows
.github/workflows/daily-health-check.yml.github/workflows/nist-compliance.yml
Fix Applied
Updated to valid v4 SHA pins:
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093
Recommendation
Consider implementing:
- Dependabot for GitHub Actions - Auto-update action versions
- Periodic SHA verification - Add a workflow to verify action SHAs are valid
- Use version tags - Consider using version tags (e.g.,
v4) instead of SHA pins for simpler maintenance (trade-off: less secure but more maintainable)
Verification
# Check workflow runs
gh run list --workflow "Daily Health Check" --limit 3
# Verify artifact actions in workflows
grep -r "upload-artifact\|download-artifact" .github/workflows/
Description
The Daily Health Check workflow was failing for 3 days due to invalid SHA pins for GitHub Actions.
Root Cause
The SHA pin
c7d193f32edcb7bfad88892161225aeda64e9392used foractions/upload-artifactandactions/download-artifactwas invalid/expired.Affected Workflows
.github/workflows/daily-health-check.yml.github/workflows/nist-compliance.ymlFix Applied
Updated to valid v4 SHA pins:
actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093Recommendation
Consider implementing:
v4) instead of SHA pins for simpler maintenance (trade-off: less secure but more maintainable)Verification