From ab5da19f6ed786f097ccae60fb348393641587e7 Mon Sep 17 00:00:00 2001 From: Guy Korland Date: Thu, 26 Mar 2026 11:59:28 +0200 Subject: [PATCH] ci(workflows): pin GitHub Actions dependencies to commit SHAs Pin all third-party GitHub Actions to their full commit SHA instead of mutable version tags. This is a supply-chain security best practice that prevents tag-mutation attacks. Changed files: ci.yml, npm-publish.yml Total actions pinned: 5 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 6 +++--- .github/workflows/npm-publish.yml | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a4d63fc..f85f005 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,10 +14,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' @@ -37,6 +37,6 @@ jobs: run: npm run coverage - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v4 + uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4 with: token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index cee12b8..c8c2eaa 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -11,8 +11,8 @@ jobs: publish-npm: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 registry-url: https://registry.npmjs.org/