Skip to content

chore: pin actions to SHA and add CI#1

Merged
platinummonkey merged 2 commits into
mainfrom
chore/pin-actions-update-workflows
Apr 11, 2026
Merged

chore: pin actions to SHA and add CI#1
platinummonkey merged 2 commits into
mainfrom
chore/pin-actions-update-workflows

Conversation

@platinummonkey

Copy link
Copy Markdown
Owner

Summary

  • Pin action SHAs in all existing workflow files for supply-chain security — replaces floating @main and @vX refs with full commit SHAs (with tag/branch comment for readability)
  • Add CI workflow (.github/workflows/ci.yml) that runs brew audit --strict --online on every push to main and every PR; uses || true to avoid failing on transient network issues
  • No formula/cask version changes — only workflow files touched

Actions pinned

File Action Ref → SHA
publish.yml Homebrew/actions/setup-homebrew main59e6b20
publish.yml Homebrew/actions/git-user-config main59e6b20
publish.yml Homebrew/actions/git-try-push main59e6b20
tests.yml Homebrew/actions/setup-homebrew main59e6b20
tests.yml actions/cache v40057852
tests.yml actions/upload-artifact v4ea165f8
ci.yml (new) actions/checkout v434e1148

Test plan

  • CI workflow triggers on this PR and completes without error
  • brew audit step runs and reports any cask issues (non-blocking via || true)
  • Existing brew test-bot workflow still passes with pinned SHA

🤖 Generated with Claude Code

platinummonkey and others added 2 commits April 11, 2026 16:59
Pin all GitHub Actions references to full commit SHAs for supply-chain
security. Add a simple brew audit CI workflow for cask syntax checking.

- publish.yml: pin Homebrew/actions/setup-homebrew, git-user-config, git-try-push @main -> SHA
- tests.yml: pin Homebrew/actions/setup-homebrew @main, actions/cache@v4, actions/upload-artifact@v4 -> SHAs
- ci.yml: new workflow running brew audit --strict --online on push/PR

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
brew audit no longer accepts file paths; use `brew tap` to register the
local checkout and then audit by qualified cask name.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@platinummonkey platinummonkey merged commit 61c74f1 into main Apr 11, 2026
1 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant