docs: fix stale action-pin version comments in security workflows#479
Merged
Conversation
devskim.yml/codeql.yml/semgrep.yml/fortify.yml labeled the actions/checkout SHA 9c091bb2... and actions/setup-python SHA ece7cb06... as v6/v7, while ci.yml/pip-audit.yml/codex.yml/claude.yml label the identical SHAs v7.0.0/v6.3.0. Verified against upstream tags (git ls-remote --tags): the checkout SHA maps to v7.0.0, the setup-python SHA maps to v6.3.0. Comment-only change, zero behavior change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
devskim.yml,codeql.yml,semgrep.yml, andfortify.ymllabel theactions/checkoutSHA9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0and/or theactions/setup-pythonSHAece7cb06caefa5fff74198d8649806c4678c61a1as# v6/# v7, whileci.yml,pip-audit.yml,codex.yml, andclaude.ymllabel the identical SHAs# v7.0.0/# v6.3.0. Verified against upstream (git ls-remote --tags): the checkout SHA maps tov7.0.0, the setup-python SHA maps tov6.3.0. Fixed the 4 outlier files to match the convention used everywhere else.Why / benefit
The whole point of the SHA+comment pin convention is that an auditor can compare pins across files. With the same SHA labeled differently in different files, that comparison silently breaks. Comment-only change — the actual pinned commits (and therefore CI behavior) are unchanged.
Risk to monitor
None — this changes only trailing
# vXcomments, not the pinned SHAs themselves. Verified all 4 touched files still parse as valid YAML (yaml.safe_load).Scan context
CyClaw-Optimize (ponytail + Karpathy + fable-protocol loaded). Finding #4 of an 8-finding scan; deduped against open PRs #473, #477, #415.
Generated by Claude Code