Commit 874be23
committed
#432 Pin gradle/actions/setup-gradle to commit SHA
SonarCloud's GitHub Actions rule S7637 flags `uses: …@<tag>` as a
supply-chain risk: a compromised tag could rewrite the action's
implementation on the next workflow run. Pin to the commit SHA the
v4 tag points at today (gradle/actions v4.4.3, commit
48b5f213c81028ace310571dc5ec0fbbca0b2947) and keep a trailing
`# v4.4.3` comment so the version stays human-readable.
Without this, the bugfix/405 PR analysis hits sonar.qualitygate.wait
on the unreviewed-new-hotspot metric and fails the build.1 parent 5f6283c commit 874be23
1 file changed
Lines changed: 4 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
48 | 51 | | |
49 | 52 | | |
50 | 53 | | |
| |||
0 commit comments