fix(ci): Replace npm install -g @go-task/cli with go-task/setup-task action to eliminate npm supply-chain risk.

junhaoliao · junhaoliao · commit 02fc5ea838d6 · 2026-04-03T16:27:22.000-04:00
diff --git a/.github/workflows/code-linting-checks.yaml b/.github/workflows/code-linting-checks.yaml
@@ -34,8 +34,9 @@ jobs:
           python-version: "3.11"
 
       - name: "Install task"
-        shell: "bash"
-        run: "npm install -g @go-task/cli"
+        uses: "go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44"  # v2.0.0
+        with:
+          version: "3.48.0"
 
       - name: "Install uv"
         shell: "bash"
diff --git a/.github/workflows/unit-tests.yaml b/.github/workflows/unit-tests.yaml
@@ -39,8 +39,9 @@ jobs:
           python-version: "3.11"
 
       - name: "Install task"
-        shell: "bash"
-        run: "npm install -g @go-task/cli"
+        uses: "go-task/setup-task@3be4020d41929789a01026e0e427a4321ce0ad44"  # v2.0.0
+        with:
+          version: "3.48.0"
 
       - if: "'macos-14' == matrix.os"
         name: "Install coreutils (for md5sum)"
