Skip to content

docs: fix stale action-pin version comments in security workflows#479

Merged
cgfixit merged 1 commit into
mainfrom
claude/cyclaw-optimize-action-pin-comments
Jul 9, 2026
Merged

docs: fix stale action-pin version comments in security workflows#479
cgfixit merged 1 commit into
mainfrom
claude/cyclaw-optimize-action-pin-comments

Conversation

@cgfixit

@cgfixit cgfixit commented Jul 9, 2026

Copy link
Copy Markdown
Owner

What

devskim.yml, codeql.yml, semgrep.yml, and fortify.yml label the actions/checkout SHA 9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 and/or the actions/setup-python SHA ece7cb06caefa5fff74198d8649806c4678c61a1 as # v6/# v7, while ci.yml, pip-audit.yml, codex.yml, and claude.yml label the identical SHAs # v7.0.0/# v6.3.0. Verified against upstream (git ls-remote --tags): the checkout SHA maps to v7.0.0, the setup-python SHA maps to v6.3.0. Fixed the 4 outlier files to match the convention used everywhere else.

Why / benefit

The whole point of the SHA+comment pin convention is that an auditor can compare pins across files. With the same SHA labeled differently in different files, that comparison silently breaks. Comment-only change — the actual pinned commits (and therefore CI behavior) are unchanged.

Risk to monitor

None — this changes only trailing # vX comments, not the pinned SHAs themselves. Verified all 4 touched files still parse as valid YAML (yaml.safe_load).

Scan context

CyClaw-Optimize (ponytail + Karpathy + fable-protocol loaded). Finding #4 of an 8-finding scan; deduped against open PRs #473, #477, #415.


Generated by Claude Code

devskim.yml/codeql.yml/semgrep.yml/fortify.yml labeled the actions/checkout
SHA 9c091bb2... and actions/setup-python SHA ece7cb06... as v6/v7, while
ci.yml/pip-audit.yml/codex.yml/claude.yml label the identical SHAs
v7.0.0/v6.3.0. Verified against upstream tags (git ls-remote --tags): the
checkout SHA maps to v7.0.0, the setup-python SHA maps to v6.3.0. Comment-only
change, zero behavior change.
@cgfixit cgfixit marked this pull request as ready for review July 9, 2026 19:28
@cgfixit cgfixit merged commit 1642c5c into main Jul 9, 2026
29 checks passed
@cgfixit cgfixit deleted the claude/cyclaw-optimize-action-pin-comments branch July 9, 2026 19:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants