From a8d4f8363a446cadce460ebb8624eecd30a283f1 Mon Sep 17 00:00:00 2001 From: Molecule AI Core-DevOps Date: Sun, 10 May 2026 09:27:46 +0000 Subject: [PATCH] ci: pin GitHub Actions by SHA instead of mutable tags (staging sync) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cherry-pick from main (03689e3d) to restore SHA pinning on staging branch. - actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) in .github/workflows/secret-pattern-drift.yml - pypa/gh-action-pypi-publish@release/v1 → @cef221092ed1bacb1cc03d23a2d87d1d172e277b in .github/workflows/publish-runtime.yml Mutable action tags create supply-chain risk. SHA-pinning ensures the exact commit runs every time. [core-devops-agent] Co-Authored-By: Claude Opus 4.7 --- .github/workflows/publish-runtime.yml | 2 +- .github/workflows/secret-pattern-drift.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-runtime.yml b/.github/workflows/publish-runtime.yml index 53a19d19..6118c113 100644 --- a/.github/workflows/publish-runtime.yml +++ b/.github/workflows/publish-runtime.yml @@ -180,7 +180,7 @@ jobs: # environment pypi-publish. The action mints a short-lived OIDC # token and exchanges it for a PyPI upload credential — no static # API token in this repo's secrets. - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1 with: packages-dir: ${{ runner.temp }}/runtime-build/dist/ diff --git a/.github/workflows/secret-pattern-drift.yml b/.github/workflows/secret-pattern-drift.yml index fa7fffa8..2517fea9 100644 --- a/.github/workflows/secret-pattern-drift.yml +++ b/.github/workflows/secret-pattern-drift.yml @@ -48,7 +48,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: