Goal
Pin all GitHub Actions in /.github/workflows/ci.yml to immutable commit SHAs.
Why
ci.yml currently references mutable tags (for example @v4, @v5, @v2). Pinning SHAs reduces supply-chain risk and improves reproducibility.
Scope
- Update each
uses: entry in ci.yml from mutable tags to full commit SHAs.
- Keep the resolved version in an inline comment for readability (example:
# v4.3.1).
- Keep behavior unchanged.
Acceptance criteria
- All actions in
ci.yml are pinned by full SHA.
- Workflow behavior remains functionally identical.
- CI remains green after the change.
Goal
Pin all GitHub Actions in
/.github/workflows/ci.ymlto immutable commit SHAs.Why
ci.ymlcurrently references mutable tags (for example@v4,@v5,@v2). Pinning SHAs reduces supply-chain risk and improves reproducibility.Scope
uses:entry inci.ymlfrom mutable tags to full commit SHAs.# v4.3.1).Acceptance criteria
ci.ymlare pinned by full SHA.