From 2e45b7b4eb814a4ee629e85efa5e140f6f2d4248 Mon Sep 17 00:00:00 2001 From: Jay Gowdy Date: Wed, 4 Mar 2026 10:53:53 -0800 Subject: [PATCH] Pin GitHub Actions to commit SHAs Pin actions/checkout@v4 and actions/setup-go@v5 to their current commit SHAs to prevent supply chain attacks via compromised mutable tags. --- .github/workflows/publish.yml | 2 +- .github/workflows/test.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index ec0e9cb..0f4a696 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,7 +12,7 @@ jobs: image: node:bookworm options: --ulimit core=-1 --ulimit memlock=-1:-1 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2 - name: Install packages run: npm install diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 636c598..1d2d0d6 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,7 +29,7 @@ jobs: image: node:bookworm options: --ulimit core=-1 --ulimit memlock=-1:-1 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2 - name: Install npm packages run: npm install @@ -47,7 +47,7 @@ jobs: INDEX (created) );" - name: Setup Go environment - uses: actions/setup-go@v5 + uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5 with: go-version: 1.24.0 - name: Test Cross-Language @@ -69,7 +69,7 @@ jobs: matrix: arch: [ {tag: arm64v8, platform: linux/arm64/v8} ] steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Multi-Architecture Support run: scripts/setup-multiarch.sh - name: Test Multi-Architecture