From f7c91b2c5ec88ad62fd9910e7d3a1775b2ca2df0 Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 30 Mar 2026 12:07:12 -0400 Subject: [PATCH 1/2] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 5bd5a15..18c230a 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -14,7 +14,7 @@ jobs: contents: write # Contents and pull-requests are for release-please to make releases. pull-requests: write steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release - uses: actions/checkout@v4 From 45fa8ede3e5f5c1cb799909b4dc1632c3a31f3d4 Mon Sep 17 00:00:00 2001 From: "Matthew M. Keeler" Date: Mon, 30 Mar 2026 12:12:29 -0400 Subject: [PATCH 2/2] Apply suggestion from @keelerm84 --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 18c230a..8cf72db 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -14,7 +14,7 @@ jobs: contents: write # Contents and pull-requests are for release-please to make releases. pull-requests: write steps: - - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0 id: release - uses: actions/checkout@v4