GitHub Actions SHA Pinning Compliance

[esphome]

This issue tracks SHA pinning compliance for GitHub Actions across all repositories in the esphome organization.

SHA pinning means referencing actions by their full commit SHA (e.g., actions/checkout@<sha>) instead of a mutable tag (e.g., actions/checkout@v4). This prevents supply-chain attacks via compromised or force-pushed tags.

The Enforced column shows whether the repo has sha_pinning_required enabled in Settings > Actions > General.

Each non-compliant repository has a linked sub-issue with details.

Summary

• 45 fully pinned
• 3 not fully pinned
• 0 with workflows but no external actions
• 9 without workflows
• 57 enforced / 0 not enforced

Fully SHA-Pinned Repositories

Repository	Enforced	Workflow Files
AsyncTCP	Yes	publish.yml, push.yml
ESPAsyncTCP	Yes	push.yml
ESPAsyncWebServer	Yes	publish.yml, push.yml, release-drafter.yml
aioesphomeapi	Yes	ci.yml, close-pr-from-fork-default-branch.yml, docker.yml, labeler.yml, lock.yml, release-drafter.yml, release.yml
bluetooth-proxies	Yes	build.yml, lock.yml, stale.yml, yaml-lint.yml
build-action	Yes	ci.yml, action.yml
component-image-generator	Yes	build.yml, action.yml
dashboard	Yes	build-web.yml, ci.yml, pythonpublish.yml, release-drafter.yml
dashboard-api	Yes	pythonpublish.yml, release-drafter.yml
data.esphome.io	Yes	publish.yml, automations/action.yml, component-changes/action.yml, components/action.yml
deployments	Yes	lint.yml
developers.esphome.io	Yes	lock.yml
device-builder	Yes	auto-release.yml, draft-next-releases.yml, pr-labels.yaml, real-compile-tests.yml, release.yml, sync-component-catalog.yml, sync-device-catalog.yml, test.yml, windows-real-compile.yml, .github/actions/generate-release-notes/action.yml, .github/actions/resolve-release-versions/action.yml, .github/actions/setup-uv-python/action.yml
device-builder-frontend	Yes	auto-approve-dependabot.yml, auto-release.yml, pr-labels.yaml, release.yml, test.yml, translations-upload.yml, yamllint.yml
devices.esphome.io	Yes	ci.yaml, commit-date-published.yml, made-for-esphome.yml, pr-validation-feedback.yml, update-date-published.yml, weekly-link-check.yml
docker-base	Yes	build.yml
esp-hosted-firmware	Yes	build.yml, check-update.yml
esp-stacktrace-decoder	Yes	release-drafter.yml, release.yml
esp-web-tools	Yes	ci.yml, npmpublish.yml, release-drafter.yml
esphome	Yes	auto-label-pr.yml, ci-api-proto.yml, ci-clang-tidy-hash.yml, ci-docker.yml, ci-github-scripts.yml, ci-memory-impact-comment.yml, ci.yml, close-pr-from-fork-default-branch.yml, codeowner-approved-label-update.yml, codeowner-review-request.yml, codeql.yml, dashboard-deprecation-comment.yml, external-component-bot.yml, issue-codeowner-notify.yml, lock.yml, pr-title-check.yml, release.yml, stale.yml, status-check-labels.yml, sync-device-classes.yml, .github/actions/build-image/action.yaml, .github/actions/cache-esp-idf/action.yml, .github/actions/restore-python/action.yml
esphome-desktop	Yes	build.yml, bump-bundle-versions.yml, deploy-pages.yml, lint-test.yml, pr-comment.yml, publish-aur.yml, release-drafter.yml, scripts-test.yml
esphome-glyphsets	Yes	ci.yml, issue-manager.yml, upgrader.yml
esphome-project-template	Yes	ci.yml, publish-firmware.yml, publish-pages.yml, repository-generated.yml
esphome-schema	Yes	generate-schemas.yml
esphome-webserver	Yes	ci.yaml, release.yaml
esphome.io	Yes	auto-label-pr.yml, check-component-index.yml, ci.yml, close-pr-from-fork-default-branch.yml, component-image.yml, imgbot-auto-merge.yml, labeller-recheck.yml, lock.yml, stale.yml
ewt-gen	Yes	publish.yml, website.yml
feature-requests	Yes	auto-labeller.yml, close-bypassed-discussions.yml, close-issues.yml, lock.yml
firmware	Yes	build.yml, check-generated-configs.yml, lock.yml, stale.yml, yaml-lint.yml
home-assistant-addon	Yes	bump-version.yml, devcontainer-build.yaml, lint.yml
home-assistant-voice-pe	Yes	build.yml, gh-pages.yml, update-latest.yml, yaml-lint.yml
infrared-proxies	Yes	build.yml, lock.yml, stale.yml, yaml-lint.yml
issues	Yes	lock.yml, stale.yml
media-players	Yes	build.yml, lock.yml, stale.yml, yaml-lint.yml
media.esphome.io	Yes	deploy.yml
pre-commit-action	Yes	main.yml, action.yml
rf-proxies	Yes	build.yml, lock.yml, publish.yml, release-drafter.yml, release.yml, stale.yml, yaml-lint.yml
roadmap	Yes	restrict-issue-creation.yml
starter-components	Yes	ci.yml, yaml-lint.yml
version-notifier	Yes	notify.yml, track-bump-prs.yml, trigger-ha-addon.yml, trigger-schema.yml, update-firmware-repos.yml
voice-kit-xmos-firmware	Yes	apps.yml, ci.yml, docker.yml
wake-word-voice-assistants	Yes	build-minimal.yml, build.yml, lock.yml, stale.yml, yaml-lint.yml
workflow-shas	Yes	check.yml, action.yml
workflows	Yes	build.yml, lock.yml, promote-r2.yml, upload-to-gh-release.yml, upload-to-r2.yml
zwa-2	Yes	build.yml, lock.yml, stale.yml, yaml-lint.yml

Repositories NOT Fully SHA-Pinned

Repository	Enforced	Unpinned	Pinned
home-assistant-voice-pe-alpha	Yes	11	0
xmos_fwk_io	Yes	7	0
xmos_fwk_rtos	Yes	2	0

Repositories Without Workflows

• .github
• ESP32-audioI2S
• ESPhome-GUI-Documentation
• backlog
• esphome-learning-kit
• esphome-release
• esphome-vscode
• micro-wake-word-models
• pngle

---

This issue is automatically updated by a daily workflow.