From 2bd5d1e337085db981157ef33d85390d91b97336 Mon Sep 17 00:00:00 2001 From: Lauri Gates Date: Sun, 14 Jun 2026 17:17:38 +0300 Subject: [PATCH] ci: pin third-party Actions to commit SHAs (#3) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Pin every third-party Action to a full-length commit SHA with a version comment (Dependabot/Renovate keep these current). A mutable tag like @v6 lets the tag owner — or anyone who compromises their account — swap the code an Action runs, and these run in jobs holding contents: write (release upload) and id-token: write (npm provenance). SHAs make the supply chain reproducible and reviewable. actions/checkout@v6 -> df4cb1c... # v6 actions/setup-node@v6 -> 48b55a0... # v6 softprops/action-gh-release@v3 -> b430933... # v3 peter-evans/repository-dispatch@v4 -> 28959ce... # v4 rustsec/audit-check@v2 -> 69366f3... # v2.0.0 dependabot.yml already tracks the github-actions ecosystem, so these pins stay maintained. https://claude.ai/code/session_01T3Z35bgg6cvWzBDfyh6pQ8 (cherry picked from commit ae343f85d740edfd2762c5e222d4f8e4e79c53b3) --- .github/workflows/ci.yml | 8 ++++---- .github/workflows/release.yml | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b81b412..9278f43 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,7 +13,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install toolchain (pinned via rust-toolchain.toml) run: rustup show - name: Format @@ -26,8 +26,8 @@ jobs: audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 - - uses: rustsec/audit-check@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} @@ -40,7 +40,7 @@ jobs: os: [ubuntu-latest, macos-14] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install toolchain (pinned via rust-toolchain.toml) run: rustup show - name: Test diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6091b1..0fe1bde 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,7 +22,7 @@ jobs: - target: aarch64-unknown-linux-gnu os: ubuntu-24.04-arm steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Install toolchain run: rustup target add ${{ matrix.target }} - name: Build @@ -40,7 +40,7 @@ jobs: fi cat surf-${{ matrix.target }}.tar.gz.sha256 - name: Upload to release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 with: files: | surf-${{ matrix.target }}.tar.gz @@ -54,8 +54,8 @@ jobs: contents: read # download the release assets built by `build` id-token: write # npm publish --provenance attestation steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: "20" registry-url: "https://registry.npmjs.org" @@ -111,7 +111,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Dispatch to surface-site - uses: peter-evans/repository-dispatch@v4 + uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4 with: token: ${{ secrets.SURFACE_SITE_SYNC_TOKEN }} repository: Connorrmcd6/surface-site