Skip to content

Fixing workflows with pinned versions #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 13, 2025
Merged

Fixing workflows with pinned versions #50

merged 1 commit into from
Oct 13, 2025

Conversation

dacoburn
Copy link
Collaborator

Pin GitHub Actions to full-length commit SHAs for security compliance. Updates all workflow files to use SHA-pinned versions instead of tag references to prevent supply chain attacks and ensure reproducibility.

Public Changelog

N/A

@dacoburn dacoburn requested a review from a team as a code owner October 13, 2025 22:28
@dacoburn dacoburn requested review from cenobitedk and jdalton and removed request for a team October 13, 2025 22:28
@socket-security Socket Security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39910010010080
Updatedgithub/​actions/​checkout@​11bd71901bbe5b1630ceea73d27597364c9af683 ⏵ eef61447b9ff4aafe5dcd4e0bbf5d482be7e787198100100100100
Updatedgithub/​actions/​github-script@​5c56fde4671bc2d3592fb0f2c5b5bab9ddae03b1 ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ 67339c736fd9354cd4f8cb0b744f2b82a74b5c70100100100100100

View full report

@socket-security-staging Socket Security Staging
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​actions/​setup-python@​f677139bbe7f9c59b41e40162b753c062f5d49a39910010010080
Updatedgithub/​actions/​checkout@​11bd71901bbe5b1630ceea73d27597364c9af683 ⏵ eef61447b9ff4aafe5dcd4e0bbf5d482be7e787199100100100100
Updatedgithub/​actions/​github-script@​5c56fde4671bc2d3592fb0f2c5b5bab9ddae03b1 ⏵ 60a0d83039c74a4aee543508d2ffcb1c3799cdea100100100100100
Updatedgithub/​pypa/​gh-action-pypi-publish@​7f25271a4aa483500f742f9492b2ab5648d61011 ⏵ 67339c736fd9354cd4f8cb0b744f2b82a74b5c70100100100100100

View full report

@dacoburn dacoburn merged commit 06994cc into main Oct 13, 2025
5 of 6 checks passed
@dacoburn dacoburn deleted the doug/pin-action-versions branch October 13, 2025 22:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahmadnassri ahmadnassri ahmadnassri approved these changes

@jdalton jdalton Awaiting requested review from jdalton jdalton is a code owner automatically assigned from SocketDev/eng

@cenobitedk cenobitedk Awaiting requested review from cenobitedk cenobitedk is a code owner automatically assigned from SocketDev/eng

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dacoburn @ahmadnassri