From 86969f23d3ef2f206c31a00e1717c25446e4d637 Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Tue, 14 Jul 2026 06:45:11 +0530 Subject: [PATCH] chore(ci): pin third-party actions to commit SHAs, pin jscpd version, remove log truncation Removing '| head -50' on deadcode/jscpd output was hiding failures past line 50. Pinning actions/checkout, actions/setup-node, docker/* actions to SHA digests guards against tag-mutation supply-chain attacks. --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index b80eeb7..6776d22 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -211,7 +211,7 @@ jobs: - name: deadcode run: | go install golang.org/x/tools/cmd/deadcode@v0.30.0 - deadcode ./... 2>&1 | head -50 + deadcode ./... # ------------------------------------------------------------------------- # Duplication detection — jscpd. @@ -226,7 +226,7 @@ jobs: node-version: '24' - name: jscpd run: | - npx jscpd --min-lines 5 --min-tokens 50 --reporters console --blame . 2>&1 | head -50 + npx --yes jscpd@5.0.12 --min-lines 5 --min-tokens 50 --reporters console --blame . # ------------------------------------------------------------------------- # 7. Secret scan — detect leaked API keys, tokens, credentials.