chore: pin third-party GitHub Actions to commit SHAs (#25)

osm6495 · web-flow · commit 68ea81eaf3d0 · 2026-03-24T09:39:52.000-04:00
## Summary Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the [`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml) Semgrep rule. ## Test plan - [ ] Verify CI passes with pinned action SHAs  --- > [!NOTE] > **Low Risk** > Low risk: workflow-only changes that pin existing GitHub Actions to specific commits; failures would be limited to CI/release automation if a pinned SHA becomes unavailable. > > **Overview** > Pins third-party GitHub Actions to full commit SHAs for supply-chain hardening. > > Updates `ruby/setup-ruby` in the shared CI composite action and in the Windows/manual docs workflows, and pins `googleapis/release-please-action` in the release workflow; no application/runtime code changes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 37021f7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/actions/ci/action.yml b/.github/actions/ci/action.yml
@@ -8,7 +8,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
       with:
         ruby-version: ${{ inputs.ruby-version }}
 
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -41,7 +41,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.2
 
diff --git a/.github/workflows/manual-publish-docs.yml b/.github/workflows/manual-publish-docs.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
         with:
           ruby-version: 3.1
 
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -16,7 +16,7 @@ jobs:
       release-created: ${{ steps.release.outputs.release_created }}
       tag-name: ${{ steps.release.outputs.tag_name }}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
   
   release-sdk:
