Skip to content

fix: pin GitHub Actions to SHA for supply chain security#10

Merged
security-claw merged 1 commit into
masterfrom
fix/github-action-sha-pinning
Jun 23, 2026
Merged

fix: pin GitHub Actions to SHA for supply chain security#10
security-claw merged 1 commit into
masterfrom
fix/github-action-sha-pinning

Conversation

@riccardosarro

Copy link
Copy Markdown
Contributor

Summary

Pin all GitHub Actions to full commit SHAs for supply chain security.

Actions referenced by tag or branch have been resolved to their commit SHA, with the original ref preserved as an inline comment. Where a sub-action had unpinned transitive dependencies, the action was upgraded to the closest newer version where all sub-actions are fully pinned.

References to this repo's own reusable workflows / composite actions have been rewritten to relative ./ paths, which run from the current commit and are exempt from SHA-pinning enforcement.

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
@riccardosarro riccardosarro added the vimeo-sha-pinning-enforcement PRs opened by gha-sha-pinning automation label Jun 22, 2026

@security-claw security-claw left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ pure-pin (OLD ref == NEW # vN comment on every uses: line), only touches .github/workflows/*.yml, CI green. Approving.

— reviewed by security-claw 🛡️

@security-claw security-claw merged commit da3fedf into master Jun 23, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

vimeo-sha-pinning-enforcement PRs opened by gha-sha-pinning automation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants