From 2705895b0af0598020b005d07740aa3087d0ecef Mon Sep 17 00:00:00 2001 From: Max Rydahl Andersen Date: Tue, 19 May 2026 15:10:48 +0200 Subject: [PATCH] ci: pin GitHub Actions to full-length commit SHAs Pin all action references to full-length commit SHAs for supply chain security. This is required for the org-level policy: 'Require actions to be pinned to a full-length commit SHA'. Original version tags are preserved as comments for readability. Existing SHA pins are left unchanged. --- .github/workflows/ci-build.yml | 8 ++++---- .github/workflows/tag-and-release.yml | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml index e919cec..b4dcfcb 100644 --- a/.github/workflows/ci-build.yml +++ b/.github/workflows/ci-build.yml @@ -19,9 +19,9 @@ jobs: contents: read steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '17' distribution: 'temurin' @@ -41,9 +41,9 @@ jobs: contents: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set up JDK 17 - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 with: java-version: '17' distribution: 'temurin' diff --git a/.github/workflows/tag-and-release.yml b/.github/workflows/tag-and-release.yml index f6ec9bc..ab56ce5 100644 --- a/.github/workflows/tag-and-release.yml +++ b/.github/workflows/tag-and-release.yml @@ -30,7 +30,7 @@ jobs: run: ./gradlew --no-daemon --build-cache --scan -s clean publish jreleaserRelease - name: release-output if: always() - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: upload-release-output path: |