Skip to content

Commit cf49689

Browse files
security: pin GitHub Actions to commit hashes
Pin third-party GitHub Actions to specific commit hashes to prevent supply chain attacks and ensure immutable action versions: - actions/setup-python@v5 → a26af69be951a213d495a4c3e4e4022e16d87065 - pre-commit/action@v3.0.1 → 2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd This resolves the CodeQL Advanced Security warning: "Unpinned tag for a non-immutable Action in workflow" Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
1 parent cf5260b commit cf49689

3 files changed

Lines changed: 4 additions & 4 deletions

File tree

.github/workflows/publish.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
steps:
1515
- uses: actions/checkout@v4
1616
- name: Set up Python
17-
uses: actions/setup-python@v5
17+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
1818
with:
1919
python-version: '3.9'
2020
- name: Install dependencies

.github/workflows/run_annotation_tests.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
steps:
2525
- uses: actions/checkout@v4
2626
- name: Set up Python ${{ matrix.python-version }}
27-
uses: actions/setup-python@v5
27+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
2828
with:
2929
python-version: ${{ matrix.python-version }}
3030
- name: Install dependencies for annotation tests

.github/workflows/run_tests.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ jobs:
2424
steps:
2525
- uses: actions/checkout@v4
2626
- name: Set up Python ${{ matrix.python-version }}
27-
uses: actions/setup-python@v5
27+
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
2828
with:
2929
python-version: ${{ matrix.python-version }}
3030
- name: Install dependencies
@@ -35,7 +35,7 @@ jobs:
3535
python -m nltk.downloader averaged_perceptron_tagger_eng
3636
python -m nltk.downloader punkt_tab
3737
- name: Run static analysis lint
38-
uses: pre-commit/action@v3.0.1
38+
uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
3939
- name: Run pytest
4040
shell: bash
4141
run: |

0 commit comments

Comments
 (0)