You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
ci: pin third-party actions to commit SHAs (REQ-1.4.10)
- Pin actions/checkout, github-script, setup-python, codeql-action init/autobuild/analyze,
upload-pages-artifact, deploy-pages, amannn/action-semantic-pull-request, and
actions/stale to immutable commit SHAs across all 9 root .github/workflows/*.yml files
- Tags resolved live via gh api (2026-07-07); repo had already drifted past the phase-31-01
baseline (checkout v7, setup-python v6, codeql-action v4, upload-pages-artifact v5,
deploy-pages v5, action-semantic-pull-request v6, stale v10, github-script v9)
- permissions: and timeout-minutes: were already present on every root workflow job; not
modified there
- Also fixed templates/demo-repo/.github/workflows/*.yml (autopilot-create-issue.yml,
demo-ci.yml): these template files, copied into other repos by
autopilot-org-installer.yml, were caught by workflow-lint's recursive scan with their own
unpinned-action/missing-permissions/missing-timeout findings; out of the plan's original
9-file scope but fixed so this repo's own workflow-lint gate passes and installer-scaffolded
repos inherit compliant templates
0 commit comments