chore: pin third-party GitHub Actions to commit SHAs (#1869)

pkaeding · web-flow · commit 7254c3198ec4 · 2026-04-01T16:04:54.000-04:00
* [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. * Apply suggestion from @pkaeding * Apply suggestion from @pkaeding
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -88,7 +88,7 @@ jobs:
           fetch-depth: 0
 
       - name: Setup Biome
-        uses: biomejs/setup-biome@a05c02a1304287da45f13648675a70d5841acdbc # v2
+        uses: biomejs/setup-biome@4c91541eaada48f67d7dbd7833600ce162b68f51 # v2
 
       - name: Run Biome
         run: biome ci .
