While browsing the workflow files, I noticed that almost all external actions are pinned to a commit SHA with a version comment, e.g.:
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
Two actions are still referenced by a major-version tag:
It looks like actions/* actions were switched to tags in August 2025 (see the polish of #46787), while with 9b281d5 (#50835) actions/checkout was pinned to a SHA again. Should these two be pinned to SHAs as well?
If so, I'd be happy to submit a PR. 🙂
While browsing the workflow files, I noticed that almost all external actions are pinned to a commit SHA with a version comment, e.g.:
Two actions are still referenced by a major-version tag:
actions/setup-java@v5(prepare-gradle-build/action.yml#L37,publish-gradle-plugin/action.yml#L31,verify.yml#L52)actions/upload-artifact@v7(verify.yml#L84,build-pull-request.yml#L21)It looks like
actions/*actions were switched to tags in August 2025 (see the polish of #46787), while with 9b281d5 (#50835)actions/checkoutwas pinned to a SHA again. Should these two be pinned to SHAs as well?If so, I'd be happy to submit a PR. 🙂