From 48e49f9a9ce2c19e778a623de21bd1babf0b919e Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Tue, 14 Jul 2026 06:45:25 +0530 Subject: [PATCH] chore(ci): pin third-party actions to commit SHAs, pin jscpd version, remove log truncation Removing '| head -50' on deadcode/jscpd output was hiding failures past line 50. Pinning actions/checkout, actions/setup-node, docker/* actions to SHA digests guards against tag-mutation supply-chain attacks. --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 61791450..1683ba4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -160,7 +160,7 @@ jobs: - name: deadcode run: | go install golang.org/x/tools/cmd/deadcode@v0.28.0 - deadcode ./... 2>&1 | head -50 + deadcode ./... # ------------------------------------------------------------------------- # Duplication detection — jscpd. @@ -175,7 +175,7 @@ jobs: node-version: '20' - name: jscpd run: | - npx jscpd --min-lines 5 --min-tokens 50 --reporters console --blame . 2>&1 | head -50 + npx --yes jscpd@5.0.12 --min-lines 5 --min-tokens 50 --reporters console --blame . # ------------------------------------------------------------------------- # Fuzz — short corpus runs to catch panics in fuzz targets.