ci: SHA-pin GitHub Actions for supply-chain security (#146)

jimisola · Jimisola Laursen · github-advanced-security[bot] · web-flow · commit cc713c011ace · 2026-03-07T23:48:44.000+01:00
* build: SHA-pin GitHub Actions for supply-chain security

Pin external action references to exact commit SHAs instead of
branch or major-version tags to prevent supply-chain attacks.

Signed-off-by: jimisola &lt;jimisola@jimisola.com&gt;

* ci: potential fix for code scanning alert no. 10: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
Signed-off-by: Jimisola Laursen &lt;jimisola@jimisola.com&gt;

---------

Signed-off-by: jimisola &lt;jimisola@jimisola.com&gt;
Signed-off-by: Jimisola Laursen &lt;jimisola@jimisola.com&gt;
Co-authored-by: Jimisola Laursen &lt;jimisola.laursen@resurs.se&gt;
Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml
@@ -5,6 +5,9 @@ on:
   pull_request_target:
     types: [opened, edited, synchronize, reopened]
 
+permissions:
+  contents: read
+
 jobs:
   check:
-    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main
+    uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07
