From 25e704f064d548f13a3f657399a7d259ff12b260 Mon Sep 17 00:00:00 2001 From: KiloClaw Security Date: Sun, 28 Jun 2026 04:12:50 +0000 Subject: [PATCH] ci: pin GitHub Actions to full commit SHAs Pin unpinned action references to immutable commit SHAs. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions --- .github/workflows/build-packages.yml | 4 ++-- .github/workflows/dependabot-sync.yml | 6 +++--- .github/workflows/nightly-stress-test.yml | 8 ++++---- .github/workflows/run-nightly.yml | 2 +- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-packages.yml b/.github/workflows/build-packages.yml index 44b538d285bd..48236994cbbc 100644 --- a/.github/workflows/build-packages.yml +++ b/.github/workflows/build-packages.yml @@ -87,7 +87,7 @@ jobs: # We need a more recent rustc - name: Install a more recent `rustc` if: ${{ inputs.source == 'src' }} - uses: actions-rust-lang/setup-rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@166cdcfd11aee3cb47222f9ddb555ce30ddb9659 # v1 - name: Set rust environment variables if: ${{ inputs.source == 'src' }} @@ -547,7 +547,7 @@ jobs: - name: Code signing with Software Trust Manager if: ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }} - uses: digicert/ssm-code-signing@v1.2.1 + uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # v1.2.1 - name: Build Windows Packages run: | diff --git a/.github/workflows/dependabot-sync.yml b/.github/workflows/dependabot-sync.yml index f03b11c533d9..33cfbacdf0fc 100644 --- a/.github/workflows/dependabot-sync.yml +++ b/.github/workflows/dependabot-sync.yml @@ -25,19 +25,19 @@ jobs: steps: - name: Generate a token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Checkout Code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ github.head_ref || github.ref }} token: ${{ steps.generate-token.outputs.token }} - name: Set up Python 3.11 - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.11" diff --git a/.github/workflows/nightly-stress-test.yml b/.github/workflows/nightly-stress-test.yml index c2dce9415675..33ecb0c41d65 100644 --- a/.github/workflows/nightly-stress-test.yml +++ b/.github/workflows/nightly-stress-test.yml @@ -19,13 +19,13 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Cache Docker layers - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: /tmp/.buildx-cache key: ${{ runner.os }}-buildx-${{ github.sha }} @@ -148,7 +148,7 @@ jobs: - name: Upload Artifacts id: upload-artifacts if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: stress-test-results path: | diff --git a/.github/workflows/run-nightly.yml b/.github/workflows/run-nightly.yml index bf832ef27f66..9599b375021e 100644 --- a/.github/workflows/run-nightly.yml +++ b/.github/workflows/run-nightly.yml @@ -58,7 +58,7 @@ jobs: - name: Generate a token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 with: app-id: ${{ vars.APP_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }}