Merge pull request anthropics#601 from anthropics/devsec/pin-actions

zealoushacker · web-flow · commit 39a350b6790c · 2026-05-19T12:32:24.000-06:00
Pin GitHub Actions to commit SHAs
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
@@ -113,7 +113,7 @@ jobs:
       - name: Check Links with Lychee (PR - changed files only)
         if: github.event_name == 'pull_request' && steps.changed-files.outputs.has_changes == 'true' && steps.file-list.outputs.has_files == 'true'
         id: lychee
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 (sha-pinned)
         with:
           args: |
             --config lychee.toml
@@ -127,7 +127,7 @@ jobs:
       - name: Check Links with Lychee (scheduled/manual - all files)
         if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
         id: lychee-full
-        uses: lycheeverse/lychee-action@v2
+        uses: lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411 # v2.8.0 (sha-pinned)
         with:
           args: |
             --config lychee.toml
@@ -142,7 +142,7 @@ jobs:
       
       - name: Comment PR with results
         if: github.event_name == 'pull_request' && steps.lychee.outputs.exit_code != 0
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 (sha-pinned)
         with:
           header: link-check
           path: lychee-report.md
diff --git a/.github/workflows/lint-format.yml b/.github/workflows/lint-format.yml
@@ -26,7 +26,7 @@ jobs:
       - uses: actions/checkout@v6
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 (sha-pinned)
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
diff --git a/.github/workflows/notebook-diff-comment.yml b/.github/workflows/notebook-diff-comment.yml
@@ -19,7 +19,7 @@ jobs:
           fetch-depth: 0  # Need full history to diff against base
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 (sha-pinned)
         with:
           enable-cache: true
 
diff --git a/.github/workflows/notebook-quality.yml b/.github/workflows/notebook-quality.yml
@@ -23,7 +23,7 @@ jobs:
       - uses: actions/checkout@v6
       
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 (sha-pinned)
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
diff --git a/.github/workflows/notebook-tests.yml b/.github/workflows/notebook-tests.yml
@@ -27,7 +27,7 @@ jobs:
           fetch-depth: 0  # Need full history for diff
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4.2.0 (sha-pinned)
         with:
           enable-cache: true
           cache-dependency-glob: "uv.lock"
