From 03689e3d9af93e13ce9d38f07e99d71ecea72665 Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Sun, 10 May 2026 07:55:39 +0000 Subject: [PATCH] ci: pin GitHub Actions by SHA instead of mutable tags MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) in secret-pattern-drift.yml - pypa/gh-action-pypi-publish@release/v1 → @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml Mutable action tags (e.g. @v6, @release/v1) can silently resolve to different code over time, creating supply-chain risk. SHA-pinning ensures the exact commit runs every time. Workspace Dockerfile was already compliant (python:3.11-slim@sha256:...). Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish-runtime.yml | 2 +- .github/workflows/secret-pattern-drift.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 53a19d19..6118c113 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -180,7 +180,7 @@ jobs: # environment pypi-publish. The action mints a short-lived OIDC # token and exchanges it for a PyPI upload credential — no static # API token in this repo's secrets. - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: packages-dir: ${{ runner.temp }}/runtime-build/dist/ diff --git a/.github/workflows/secret-pattern-drift.yml b/.github/workflows/secret-pattern-drift.yml index fa7fffa8..2517fea9 100644 --- a/.github/workflows/secret-pattern-drift.yml +++ b/.github/workflows/secret-pattern-drift.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: