Commit 8549a73
ci: pin GitHub Actions to commit SHAs (#260)
Pin every external `uses: owner/action@tag` in .github/workflows/ to a
full 40-char commit SHA, keeping the version tag as a trailing comment so
humans and Dependabot can still read the intended version.
SHA pinning is the GitHub-recommended hardening for third-party actions:
a moving tag can be repointed at malicious code, a commit SHA cannot.
dependabot.yml already declares the github-actions ecosystem (weekly),
so it will keep these pins current by bumping the SHA + comment together.
No dependabot change needed.
Local reusable-workflow ref (./.github/workflows/release_desktop.yml) is
left as-is; only external references are pinned.
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent 222a5f2 commit 8549a73
13 files changed
Lines changed: 110 additions & 110 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
79 | 79 | | |
80 | 80 | | |
81 | 81 | | |
82 | | - | |
| 82 | + | |
83 | 83 | | |
84 | 84 | | |
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
88 | 88 | | |
89 | 89 | | |
90 | | - | |
| 90 | + | |
91 | 91 | | |
92 | 92 | | |
93 | 93 | | |
94 | 94 | | |
95 | 95 | | |
96 | | - | |
| 96 | + | |
97 | 97 | | |
98 | | - | |
| 98 | + | |
99 | 99 | | |
100 | 100 | | |
101 | 101 | | |
| |||
134 | 134 | | |
135 | 135 | | |
136 | 136 | | |
137 | | - | |
| 137 | + | |
138 | 138 | | |
139 | 139 | | |
140 | 140 | | |
| |||
0 commit comments