ci: pin third-party github actions to commit SHAs#136
Conversation
|
Automated review unavailable (Claude step failed). Please review manually. |
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
|
Automated review unavailable (Claude step failed). Please review manually. |
2 similar comments
|
Automated review unavailable (Claude step failed). Please review manually. |
|
Automated review unavailable (Claude step failed). Please review manually. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Clean, well-scoped supply-chain hardening. All third-party actions in ci.yml and release.yml are SHA-pinned with version comments preserved, and the introduced SHAs are internally consistent with pins already in the repo's merged workflows.
Note: I could not externally verify each SHA against its upstream tag — gh api, git ls-remote, and network fetches are all blocked in this review environment. The reused actions/checkout and actions/download-artifact SHAs already run in merged workflows; the only net-new pin is actions/upload-artifact@b7c566a (# v6), worth a quick manual confirm before merge.
1 participant
Pins all third-party GitHub Actions in
ci.ymlandrelease.ymlto full commit SHAs to address the supply-chain risk in #46. Reuses the repo's existing v6/v7 pins for consistency.