molecule-ai/molecule-core
36
0
Fork 2
Code Issues 22 Pull Requests 35 Actions 2 Packages Projects Releases Wiki Activity

ci: pin GitHub Actions by SHA instead of mutable tags (staging sync)
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 47s
Details
sop-tier-check / tier-check (pull_request) Failing after 44s
Details

Browse Source 
Cherry-pick from main (03689e3d) to restore SHA pinning on staging branch.

- actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
  in .github/workflows/secret-pattern-drift.yml
- pypa/gh-action-pypi-publish@release/v1 →
  @cef221092ed1bacb1cc03d23a2d87d1d172e277b in .github/workflows/publish-runtime.yml

Mutable action tags create supply-chain risk. SHA-pinning ensures the exact
commit runs every time.

[core-devops-agent]

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · core-devops 2026-05-10 09:27:46 +00:00
parent 97fcb32840
commit a8d4f8363a
2 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/workflows/publish-runtime.yml vendored
View File

@ -180,7 +180,7 @@ jobs:
# environment pypi-publish. The action mints a short-lived OIDC
# token and exchanges it for a PyPI upload credential — no static
# API token in this repo's secrets.
uses: pypa/gh-action-pypi-publish@release/v1
uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
with:
packages-dir: ${{ runner.temp }}/runtime-build/dist/

2
.github/workflows/secret-pattern-drift.yml vendored
View File

@ -48,7 +48,7 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with: