fix: pin GitHub Actions to SHA for supply chain security#634
Conversation
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
|
❌ CI failing — pre-existing on base, PR is not the cause. Failing checks:
Pin analysis: all 5 modified |
|
❌ CI failing — pre-existing on base branch ( Failing checks:
Pin-vs-bump analysis: All 10 modified Not merging because required CI checks are red. The |
|
❌ CI failing — pre-existing on base, PR is not the cause. Failing checks:
Bump-vs-pin analysis: All 5 action changes across
Decision: Not merging. CI failures are pre-existing on |
|
❌ CI failing — pre-existing on base, not introduced by this PR. Failing checks:
Bump-vs-pin analysis: all 5 changed |
GitHub retired actions/cache v1/v2 on Feb 1, 2025; runs requesting those versions auto-fail at the 'Getting action download info' step regardless of SHA pinning. v4 is input-compatible with v2 so no workflow changes beyond the version bump are needed. Ref: https://github.blog/changelog/2024-12-05-notice-of-upcoming-releases-and-breaking-changes-for-github-actions/#actions-cache-v1-v2-and-actions-toolkit-cache-package-closing-down
|
CI red for unrelated reasons, repo has been unmaintained 2.5 years |
Summary
Pin all GitHub Actions to full commit SHAs for supply chain security.
Actions referenced by tag or branch have been resolved to their commit SHA, with the original ref preserved as an inline comment. Where a sub-action had unpinned transitive dependencies, the action was upgraded to the closest newer version where all sub-actions are fully pinned.
References to this repo's own reusable workflows / composite actions have been rewritten to relative
./paths, which run from the current commit and are exempt from SHA-pinning enforcement.