From f6b675975190bbf79fc4c7e481ece522c4180844 Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Mon, 23 Mar 2026 13:53:26 -0400 Subject: [PATCH] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/manual-publish.yml | 2 +- .github/workflows/release-please.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 1accc37..4ecfe87 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -34,6 +34,6 @@ jobs: - name: Publish package distributions to PyPI if: ${{ inputs.dry_run == 'false' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: password: ${{env.PYPI_AUTH_TOKEN}} diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 40ff693..3e281f8 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -12,7 +12,7 @@ jobs: contents: write # Contents and pull-requests are for release-please to make releases. pull-requests: write steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4 id: release - uses: actions/checkout@v4 @@ -44,6 +44,6 @@ jobs: - name: Publish package distributions to PyPI if: ${{ steps.release.outputs.releases_created == 'true' }} - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1 with: password: ${{env.PYPI_AUTH_TOKEN}} \ No newline at end of file