From ccb01063dc8127c645deb7c3440706c2d9c6d67e Mon Sep 17 00:00:00 2001 From: Chen Zhang Date: Mon, 6 Jul 2026 21:15:19 -0400 Subject: [PATCH] ci: SHA-pin actions/* to full commit SHA with version comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Supply-chain hardening (org convention): pin GitHub-published actions to a full commit SHA + '# vX.Y.Z' comment (matching the already-pinned third-party actions). Same version each action currently uses — no behavior change. Dependabot maintains SHA pins + comments going forward. Assisted-With: Claude Opus 4.8 (1M context) --- .github/workflows/copilot-setup-steps.yml | 4 ++-- .github/workflows/test_and_deploy.yaml | 12 ++++++------ .github/workflows/update-lockfiles.yml | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index a9dd61a..c1aca9d 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -32,7 +32,7 @@ jobs: # this will install pre-commit into a python environment steps: - - uses: actions/checkout@v7 - - uses: actions/setup-python@v6 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 - run: python -m pip install pre-commit shell: bash diff --git a/.github/workflows/test_and_deploy.yaml b/.github/workflows/test_and_deploy.yaml index c05c4fc..8169d33 100644 --- a/.github/workflows/test_and_deploy.yaml +++ b/.github/workflows/test_and_deploy.yaml @@ -22,7 +22,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 fetch-tags: true @@ -64,7 +64,7 @@ jobs: actions: read # for upload-sarif to read run status (private repos) steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 fetch-tags: true @@ -115,7 +115,7 @@ jobs: path: ${{ steps.install.outputs.conda_install_dir }} - name: Upload conda package as artifact - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: artifact-conda-package path: ${{ env.PKG_NAME }}-*.conda @@ -127,7 +127,7 @@ jobs: if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/next' steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 fetch-tags: true @@ -145,7 +145,7 @@ jobs: run: pixi install --frozen --skip ${{ env.PKG_NAME }} - name: Download conda package artifact - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: artifact-conda-package @@ -175,7 +175,7 @@ jobs: id-token: write steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 fetch-tags: true diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml index b8bdf0c..8f401fe 100644 --- a/.github/workflows/update-lockfiles.yml +++ b/.github/workflows/update-lockfiles.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # checks out refspec that triggered or the default branch - name: Setup pixi