From e6f64eb136e0e379c112fa74f72e798160de52de Mon Sep 17 00:00:00 2001 From: Satya Kwok <119509589+satyakwok@users.noreply.github.com> Date: Tue, 12 May 2026 05:19:59 +0200 Subject: [PATCH] ci: pin third-party GitHub Actions to commit SHAs Replaces tag refs (`@v3`, `@v2`) with full commit SHAs. Comments preserve the original tag for human readability and so dependabot can still propose upgrades. SHAs verified via GitHub commits API at the time of this commit. --- .github/workflows/ci.yml | 2 +- .github/workflows/codeql.yml | 4 ++-- .github/workflows/release.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 047973f..dbdf8ee 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: - uses: actions/checkout@v6 - name: Install pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6 with: version: 9 run_install: false diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 12e14ed..1cba0f7 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -23,9 +23,9 @@ jobs: language: ['javascript-typescript'] steps: - uses: actions/checkout@v5 - - uses: github/codeql-action/init@v3 + - uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 with: languages: ${{ matrix.language }} - - uses: github/codeql-action/analyze@v3 + - uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3 with: category: '/language:${{ matrix.language }}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a74e1f..aece3a9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: - uses: actions/checkout@v6 - name: Install pnpm - uses: pnpm/action-setup@v6 + uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6 with: version: 9 run_install: false