Pin GitHub Actions to commit SHAs (#919)

jportner-ant · web-flow · commit 3c08a3a1705f · 2026-05-06T09:11:36.000-07:00
Pin third-party GitHub Actions references to immutable commit SHAs.
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -45,17 +45,16 @@ jobs:
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 
-          claude_args: --model claude-opus-4-6
-          
           # Optional: Customize the trigger phrase (default: @claude)
           # trigger_phrase: "/claude"
-          
+
           # Optional: Trigger when specific user is assigned to an issue
           # assignee_trigger: "claude-bot"
-          
-          # Allow Claude to run linters, typecheckers, and tests
-          claude_args: |
-            --allowed-tools "Bash(python -m ruff check:*),Bash(python -m ruff format:*),Bash(python -m mypy:*),Bash(python -m pytest:*)"
 
-          # Optional: Add custom instructions for Claude to customize its behavior for your project
-          # claude_args: --system-prompt "Follow our coding standards"
+          # CLI args: model selection + allowed tools for lint/typecheck/tests.
+          # Add further flags (e.g. --system-prompt "...") to this block rather
+          # than a second claude_args key — duplicate YAML keys are rejected by
+          # GitHub Actions.
+          claude_args: |
+            --model claude-opus-4-6
+            --allowed-tools "Bash(python -m ruff check:*),Bash(python -m ruff format:*),Bash(python -m mypy:*),Bash(python -m pytest:*)"
diff --git a/.github/workflows/pypi-quota-check.yml b/.github/workflows/pypi-quota-check.yml
@@ -38,7 +38,7 @@ jobs:
 
       - name: Post to Slack
         if: steps.quota.outputs.alert == 'true' && github.event_name != 'pull_request'
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 (sha-pinned)
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/slack-issue-notification.yml b/.github/workflows/slack-issue-notification.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Post to Slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # v2.1.1 (sha-pinned)
         with:
           method: chat.postMessage
           token: ${{ secrets.SLACK_BOT_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -31,7 +31,7 @@ jobs:
           python -m pytest tests/ -v --cov=claude_agent_sdk --cov-report=xml
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 (sha-pinned)
         with:
           file: ./coverage.xml
           fail_ci_if_error: false
