From 98329e967626ed3350afb8033755ce5ea655b8ee Mon Sep 17 00:00:00 2001 From: Falk Scheerschmidt Date: Wed, 3 Jun 2026 14:23:35 +0200 Subject: [PATCH] chore: pin GitHub Actions to commit SHAs Pin all third-party GitHub Action references to full commit SHAs with the version tag preserved as a trailing comment, per advisory-space ADR 0006 (SHA pinning for GitHub Actions). This mitigates supply-chain risk from mutable tags that can be silently retagged. Co-Authored-By: Claude --- .github/workflows/check-dist.yml | 6 +++--- .github/workflows/cla.yml | 2 +- .github/workflows/integration.yml | 8 ++++---- .github/workflows/release-drafter.yml | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index da8ab5d7..603dc436 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -21,10 +21,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up mise - uses: jdx/mise-action@v4 + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - name: Install Dependencies run: mise run install @@ -42,7 +42,7 @@ jobs: id: diff # If index.cjs was different than expected, upload the expected version as an artifact - - uses: actions/upload-artifact@v7 + - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 4f6bab66..ad8936d2 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -15,7 +15,7 @@ jobs: steps: - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request' - uses: cla-assistant/github-action@v2.6.1 + uses: cla-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} PERSONAL_ACCESS_TOKEN: ${{ secrets.OSS_CONTRIBUTOR_LICENSE_AGREEMENT }} diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 822a203f..7ceef38f 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up mise - uses: jdx/mise-action@v4 + uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4 - name: Install Dependencies run: mise run install @@ -29,7 +29,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Execute Action uses: ./ @@ -41,7 +41,7 @@ jobs: dependabot: needs: [build, test] - uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@v13.4.1 + uses: Staffbase/gha-workflows/.github/workflows/template_automerge_dependabot.yml@9ea5ca06a1ef865b0af9745b47ea74b731b65fc5 # v13.4.1 with: force: true secrets: diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 8d3543b4..4ca00f2e 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -12,6 +12,6 @@ permissions: jobs: update_release_draft: - uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@v13.4.1 + uses: Staffbase/gha-workflows/.github/workflows/template_release_drafter.yml@9ea5ca06a1ef865b0af9745b47ea74b731b65fc5 # v13.4.1 secrets: token: ${{ secrets.GITHUB_TOKEN }}