molecule-ai/molecule-core
36
0
Fork 2
Code Issues 24 Pull Requests 21 Actions 63 Packages Projects Releases Wiki Activity
d98a547af2
molecule-core/.github
History
Molecule AI Core-DevOps 03689e3d9a
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
audit-force-merge / audit (pull_request) Successful in 6s
Details
ci: pin GitHub Actions by SHA instead of mutable tags 
- actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
  in secret-pattern-drift.yml
- pypa/gh-action-pypi-publish@release/v1 →
  @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml

Mutable action tags (e.g. @v6, @release/v1) can silently resolve to
different code over time, creating supply-chain risk. SHA-pinning
ensures the exact commit runs every time. Workspace Dockerfile was
already compliant (python:3.11-slim@sha256:...).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-10 07:55:39 +00:00
..
scripts fix(scripts): migrate ghcr.io→ECR + raw.githubusercontent.com→Gitea (#46) 2026-05-07 00:56:23 -07:00
workflows ci: pin GitHub Actions by SHA instead of mutable tags 2026-05-10 07:55:39 +00:00
CODEOWNERS
dependabot.yml