Skip to content

Commit 874be23

Browse files
committed
#432 Pin gradle/actions/setup-gradle to commit SHA
SonarCloud's GitHub Actions rule S7637 flags `uses: …@<tag>` as a supply-chain risk: a compromised tag could rewrite the action's implementation on the next workflow run. Pin to the commit SHA the v4 tag points at today (gradle/actions v4.4.3, commit 48b5f213c81028ace310571dc5ec0fbbca0b2947) and keep a trailing `# v4.4.3` comment so the version stays human-readable. Without this, the bugfix/405 PR analysis hits sonar.qualitygate.wait on the unreviewed-new-hotspot metric and fails the build.
1 parent 5f6283c commit 874be23

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

.github/workflows/gradle-build.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,10 @@ jobs:
4444
java-version: '17'
4545

4646
- name: Setup Gradle
47-
uses: gradle/actions/setup-gradle@v4
47+
# Pin to commit SHA per SonarCloud rule githubactions:S7637 (supply-chain hardening).
48+
# Update both the SHA and the comment together when bumping; verify the SHA at
49+
# https://github.com/gradle/actions/releases.
50+
uses: gradle/actions/setup-gradle@48b5f213c81028ace310571dc5ec0fbbca0b2947 # v4.4.3
4851
with:
4952
cache-read-only: true
5053

0 commit comments

Comments
 (0)