From 986d0bd079b113cb88e79bdc76950c52828cd92e Mon Sep 17 00:00:00 2001 From: Martin Pinter Date: Tue, 12 May 2026 10:16:09 +0200 Subject: [PATCH] ci: pin a-sync/s3-uploader to SHA (v2.0.1) Pin to commit 1b1020511c685aeb5be20f23190d2d1b63ab19a6. a-sync/s3-uploader was previously referenced via @master, which is a mutable ref controlled by the upstream maintainer. Any push to master would silently run in our backup workflow with AWS credentials. Pinning to an immutable SHA closes that supply-chain risk. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/backup-kubernetes-databases-inhouse.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/backup-kubernetes-databases-inhouse.yml b/.github/workflows/backup-kubernetes-databases-inhouse.yml index b29852e..f027364 100644 --- a/.github/workflows/backup-kubernetes-databases-inhouse.yml +++ b/.github/workflows/backup-kubernetes-databases-inhouse.yml @@ -257,7 +257,7 @@ jobs: - name: Upload folder to bucket if: inputs.aws - uses: a-sync/s3-uploader@master + uses: a-sync/s3-uploader@1b1020511c685aeb5be20f23190d2d1b63ab19a6 # v2.0.1 with: args: --recursive --exclude "*.log" env: