From 66658bce89293b9457f3e5ef987bdb2f2c9ffbc4 Mon Sep 17 00:00:00 2001 From: KiloClaw Security Date: Sun, 28 Jun 2026 04:13:00 +0000 Subject: [PATCH] ci: pin GitHub Actions to full commit SHAs Pin unpinned action references to immutable commit SHAs. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions --- .github/workflows/backport.yml | 4 ++-- .github/workflows/checks.yaml | 4 ++-- .github/workflows/mend.yaml | 6 +++--- .github/workflows/rspec_tests.yaml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 40086688592..0393ef95e16 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -14,6 +14,6 @@ jobs: # backport label is applied to an already merged PR. if: github.event.pull_request.merged && contains(github.event.label.name, 'backport') steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Create backport pull requests - uses: korthout/backport-action@v1 + uses: korthout/backport-action@bd68141f079bd036e45ea8149bc9d174d5a04703 # v1 diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 6fad834b99f..b2d658f8a5b 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -22,12 +22,12 @@ jobs: runs-on: ${{ matrix.cfg.os }} steps: - name: Checkout current PR - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - name: Install ruby version ${{ matrix.cfg.ruby }} - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1 with: ruby-version: ${{ matrix.cfg.ruby }} diff --git a/.github/workflows/mend.yaml b/.github/workflows/mend.yaml index e77550532ec..a5eee4b3ce2 100644 --- a/.github/workflows/mend.yaml +++ b/.github/workflows/mend.yaml @@ -11,14 +11,14 @@ jobs: name: Mend Monitor steps: - name: Checkout current PR - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1 with: ruby-version: 3.1 - name: Create lock run: bundle lock - - uses: actions/setup-java@v3 + - uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: distribution: 'temurin' java-version: '17' diff --git a/.github/workflows/rspec_tests.yaml b/.github/workflows/rspec_tests.yaml index 848cdad0704..6cdb6b57ae9 100644 --- a/.github/workflows/rspec_tests.yaml +++ b/.github/workflows/rspec_tests.yaml @@ -30,10 +30,10 @@ jobs: BUNDLE_SET: "without packaging documentation" steps: - name: Checkout current PR - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Install ruby version ${{ matrix.cfg.ruby }} - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@9eb537ca036ebaed86729dcb9309076e4c5c3b74 # v1 with: ruby-version: ${{ matrix.cfg.ruby }} bundler-cache: true