Skip to content

Commit b6bc854

Browse files
kaze-cowkaze-cow
authored
ci: pin actions to commit hashes (#27)
## Summary - Replaces mutable action version tags (e.g. `@v4`) with locked commit SHAs - Tag names are preserved as inline comments for readability - Prevents supply chain attacks from compromised or force-pushed tags > Generated by [pin-actions.sh](https://gist.github.com/kaze-cow/c9591cf504dd90e92d0426e32198b43d)
1 parent bfed0b2 commit b6bc854

File tree

3 files changed

+6
-7
lines changed

3 files changed

+6
-7
lines changed

.github/workflows/claude-code-review.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,12 @@ jobs:
1818
id-token: write
1919
steps:
2020
- name: Checkout repository
21-
uses: actions/checkout@v4
21+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
2222
with:
2323
fetch-depth: 1
2424

2525
- name: PR Review with Progress Tracking
26-
uses: anthropics/claude-code-action@v1
26+
uses: anthropics/claude-code-action@6e2bd52842c65e914eba5c8badd17560bd26b5de # v1
2727
with:
2828
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
2929

.github/workflows/claude.yml

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -28,13 +28,13 @@ jobs:
2828
actions: read # Required for Claude to read CI results on PRs
2929
steps:
3030
- name: Checkout repository
31-
uses: actions/checkout@v4
31+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
3232
with:
3333
fetch-depth: 1
3434

3535
- name: Run Claude Code
3636
id: claude
37-
uses: anthropics/claude-code-action@v1
37+
uses: anthropics/claude-code-action@6e2bd52842c65e914eba5c8badd17560bd26b5de # v1
3838
with:
3939
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
4040

@@ -49,4 +49,3 @@ jobs:
4949
# See https://github.com/anthropics/claude-code-action/blob/main/docs/usage.md
5050
# or https://docs.claude.com/en/docs/claude-code/cli-reference for available options
5151
# claude_args: '--allowed-tools Bash(gh pr:*)'
52-

.github/workflows/test.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,12 +14,12 @@ jobs:
1414
name: Foundry project
1515
runs-on: ubuntu-latest
1616
steps:
17-
- uses: actions/checkout@v4
17+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
1818
with:
1919
submodules: recursive
2020

2121
- name: Install Foundry
22-
uses: foundry-rs/foundry-toolchain@v1
22+
uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # v1
2323
with:
2424
version: v1.4.3
2525

0 commit comments

Comments
 (0)