From d19e26b88d522795888aba08efb5c35c38ee28db Mon Sep 17 00:00:00 2001 From: Mike Odnis Date: Tue, 14 Apr 2026 22:14:43 -0400 Subject: [PATCH] chore(ci): SHA-pin third-party GitHub Actions refs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pins every external `uses:` ref to a commit SHA with a trailing `# ` comment. Closes the tj-actions-class supply-chain attack vector where a malicious tag push exfiltrates secrets. Dependabot continues to update via the version comment. Action refs that can't be pinned (e.g. `dtolnay/rust-toolchain@stable` which is intentionally a moving ref) are left as-is — these are floating channel refs, not tag refs. --- .github/workflows/hooks-sync.yml | 4 ++-- .github/workflows/hooks-tests.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/hooks-sync.yml b/.github/workflows/hooks-sync.yml index 2f82b96..1d49595 100644 --- a/.github/workflows/hooks-sync.yml +++ b/.github/workflows/hooks-sync.yml @@ -33,7 +33,7 @@ jobs: name: shellcheck + parse runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install shellcheck run: sudo apt-get update -y && sudo apt-get install -y shellcheck @@ -55,7 +55,7 @@ jobs: name: smoke — raw-fetch fallback path runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Spin up a throwaway git repo and install hooks run: | diff --git a/.github/workflows/hooks-tests.yml b/.github/workflows/hooks-tests.yml index 417b1a8..2546582 100644 --- a/.github/workflows/hooks-tests.yml +++ b/.github/workflows/hooks-tests.yml @@ -34,7 +34,7 @@ jobs: name: bats runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Install bats run: |