Skip to content

Commit e33fe91

Browse files
authored
fix: pin GitHub Actions to SHA for supply chain security (#452)
## Summary - Pin all GitHub Actions `uses:` references to commit SHAs for supply chain security - Original version tags preserved as inline comments for maintainability - Mitigates supply chain attacks where a compromised tag could inject malicious code (ref: Trivy incident March 2026) ## Changes - All `uses: owner/action@tag` → `uses: owner/action@SHA # tag` - No version changes, only pinning format ## Test plan - [x] Verify CI workflows run successfully - [x] Confirm no action versions changed, only pinning format
1 parent ef4cbf0 commit e33fe91

2 files changed

Lines changed: 2 additions & 2 deletions

File tree

.github/workflows/label-issues.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
permissions:
1111
issues: write
1212
steps:
13-
- uses: actions/github-script@v8
13+
- uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
1414
with:
1515
script: |
1616
github.rest.issues.addLabels({

.github/workflows/test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,6 @@ jobs:
99
# Ensures default fresh checkout can create containers.
1010
runs-on: ubuntu-latest
1111
steps:
12-
- uses: actions/checkout@v6
12+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
1313
- run: docker compose up --no-start
1414
- run: docker compose -f docker-compose.yml -f compose-debug.yml up --no-start

0 commit comments

Comments
 (0)