Skip to content

chore: pin GitHub Actions to full-length commit SHAs#534

Merged
buenaflor merged 2 commits into
mainfrom
pin-gha-actions
May 19, 2026
Merged

chore: pin GitHub Actions to full-length commit SHAs#534
buenaflor merged 2 commits into
mainfrom
pin-gha-actions

Conversation

@joshuarli

Copy link
Copy Markdown
Member

Summary

  • Pin all GitHub Actions references in .github/ workflow files to full-length commit SHAs

Generated by devenv pin_gha.

🤖 Generated with Claude Code

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

branches:
- main

permissions: {}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty permissions may break reusable updater workflow

Medium Severity

The permissions: {} addition is unrelated to SHA pinning and restricts the GITHUB_TOKEN to have zero permissions. Since this workflow calls the getsentry/github-workflows/.github/workflows/updater.yml reusable workflow, the called workflow inherits this empty permission set and cannot escalate beyond it. If the reusable updater workflow relies on GITHUB_TOKEN for any operations (e.g., checking out code, creating PRs), those operations will fail silently. This change only triggers on schedule or push to main, so it won't be caught by PR-level testing.

Fix in Cursor Fix in Web

@buenaflor buenaflor merged commit b6fb33a into main May 19, 2026
14 of 15 checks passed
@buenaflor buenaflor deleted the pin-gha-actions branch May 19, 2026 08:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants