Skip to content

Commit 1ad9225

Browse files
authored
chore: pin third-party GitHub Actions to commit SHAs (#510)
## Summary Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the [`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml) Semgrep rule. ## Test plan - [ ] Verify CI passes with pinned action SHAs <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk change that only updates GitHub Actions references to immutable commit SHAs; the main risk is CI/release packaging breaking if the pinned revisions are incorrect or later removed. > > **Overview** > Pins third-party GitHub Actions used by the `sdk-release` composite action to full commit SHAs (notably `thedoctor0/zip-release` and `ilammy/msvc-dev-cmd`) to reduce supply-chain risk while keeping the referenced versions the same. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 508322c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
2 parents 5292cb7 + 508322c commit 1ad9225

1 file changed

Lines changed: 17 additions & 17 deletions

File tree

.github/actions/sdk-release/action.yml

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -73,15 +73,15 @@ runs:
7373

7474
- name: Archive Release Linux - GCC/x64/Static
7575
if: runner.os == 'Linux'
76-
uses: thedoctor0/zip-release@0.7.1
76+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
7777
with:
7878
path: 'build-static/release'
7979
type: 'zip'
8080
filename: 'linux-gcc-x64-static.zip'
8181

8282
- name: Archive Release Linux - GCC/x64/Dynamic
8383
if: runner.os == 'Linux'
84-
uses: thedoctor0/zip-release@0.7.1
84+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
8585
with:
8686
path: 'build-dynamic/release'
8787
type: 'zip'
@@ -100,15 +100,15 @@ runs:
100100
101101
- name: Archive Release Linux - GCC/x64/Static/CURL
102102
if: runner.os == 'Linux'
103-
uses: thedoctor0/zip-release@0.7.1
103+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
104104
with:
105105
path: 'build-static-curl/release'
106106
type: 'zip'
107107
filename: 'linux-gcc-x64-static-curl${{ steps.curl-suffix-linux.outputs.suffix }}.zip'
108108

109109
- name: Archive Release Linux - GCC/x64/Dynamic/CURL
110110
if: runner.os == 'Linux'
111-
uses: thedoctor0/zip-release@0.7.1
111+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
112112
with:
113113
path: 'build-dynamic-curl/release'
114114
type: 'zip'
@@ -141,7 +141,7 @@ runs:
141141

142142
- name: Configure MSVC
143143
if: runner.os == 'Windows'
144-
uses: ilammy/msvc-dev-cmd@v1
144+
uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1
145145

146146
- name: Build Windows Artifacts (Boost.Beast)
147147
if: runner.os == 'Windows'
@@ -165,31 +165,31 @@ runs:
165165

166166
- name: Archive Release Windows - MSVC/x64/Static
167167
if: runner.os == 'Windows'
168-
uses: thedoctor0/zip-release@0.7.1
168+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
169169
with:
170170
path: 'build-static/release'
171171
type: 'zip'
172172
filename: 'windows-msvc-x64-static.zip'
173173

174174
- name: Archive Release Windows - MSVC/x64/Dynamic
175175
if: runner.os == 'Windows'
176-
uses: thedoctor0/zip-release@0.7.1
176+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
177177
with:
178178
path: 'build-dynamic/release'
179179
type: 'zip'
180180
filename: 'windows-msvc-x64-dynamic.zip'
181181

182182
- name: Archive Release Windows - MSVC/x64/Static/Debug
183183
if: runner.os == 'Windows'
184-
uses: thedoctor0/zip-release@0.7.1
184+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
185185
with:
186186
path: 'build-static-debug/release'
187187
type: 'zip'
188188
filename: 'windows-msvc-x64-static-debug.zip'
189189

190190
- name: Archive Release Windows - MSVC/x64/Dynamic/Debug
191191
if: runner.os == 'Windows'
192-
uses: thedoctor0/zip-release@0.7.1
192+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
193193
with:
194194
path: 'build-dynamic-debug/release'
195195
type: 'zip'
@@ -208,31 +208,31 @@ runs:
208208
209209
- name: Archive Release Windows - MSVC/x64/Static/CURL
210210
if: runner.os == 'Windows'
211-
uses: thedoctor0/zip-release@0.7.1
211+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
212212
with:
213213
path: 'build-static-curl/release'
214214
type: 'zip'
215215
filename: 'windows-msvc-x64-static-curl${{ steps.curl-suffix-windows.outputs.suffix }}.zip'
216216

217217
- name: Archive Release Windows - MSVC/x64/Dynamic/CURL
218218
if: runner.os == 'Windows'
219-
uses: thedoctor0/zip-release@0.7.1
219+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
220220
with:
221221
path: 'build-dynamic-curl/release'
222222
type: 'zip'
223223
filename: 'windows-msvc-x64-dynamic-curl${{ steps.curl-suffix-windows.outputs.suffix }}.zip'
224224

225225
- name: Archive Release Windows - MSVC/x64/Static/Debug/CURL
226226
if: runner.os == 'Windows'
227-
uses: thedoctor0/zip-release@0.7.1
227+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
228228
with:
229229
path: 'build-static-debug-curl/release'
230230
type: 'zip'
231231
filename: 'windows-msvc-x64-static-debug-curl${{ steps.curl-suffix-windows.outputs.suffix }}.zip'
232232

233233
- name: Archive Release Windows - MSVC/x64/Dynamic/Debug/CURL
234234
if: runner.os == 'Windows'
235-
uses: thedoctor0/zip-release@0.7.1
235+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
236236
with:
237237
path: 'build-dynamic-debug-curl/release'
238238
type: 'zip'
@@ -278,15 +278,15 @@ runs:
278278

279279
- name: Archive Release Mac - AppleClang/${{ inputs.mac_artifact_arch }}/Static
280280
if: runner.os == 'macOS'
281-
uses: thedoctor0/zip-release@0.7.1
281+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
282282
with:
283283
path: 'build-static/release'
284284
type: 'zip'
285285
filename: 'mac-clang-${{ inputs.mac_artifact_arch }}-static.zip'
286286

287287
- name: Archive Release Mac - AppleClang/${{ inputs.mac_artifact_arch }}/Dynamic
288288
if: runner.os == 'macOS'
289-
uses: thedoctor0/zip-release@0.7.1
289+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
290290
with:
291291
path: 'build-dynamic/release'
292292
type: 'zip'
@@ -305,15 +305,15 @@ runs:
305305
306306
- name: Archive Release Mac - AppleClang/${{ inputs.mac_artifact_arch }}/Static/CURL
307307
if: runner.os == 'macOS'
308-
uses: thedoctor0/zip-release@0.7.1
308+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
309309
with:
310310
path: 'build-static-curl/release'
311311
type: 'zip'
312312
filename: 'mac-clang-${{ inputs.mac_artifact_arch }}-static-curl${{ steps.curl-suffix-macos.outputs.suffix }}.zip'
313313

314314
- name: Archive Release Mac - AppleClang/${{ inputs.mac_artifact_arch }}/Dynamic/CURL
315315
if: runner.os == 'macOS'
316-
uses: thedoctor0/zip-release@0.7.1
316+
uses: thedoctor0/zip-release@a24011d8d445e4da5935a7e73c1f98e22a439464 # 0.7.1
317317
with:
318318
path: 'build-dynamic-curl/release'
319319
type: 'zip'

0 commit comments

Comments
 (0)