ci: pin GitHub Actions by SHA instead of mutable tags #261

Merged

claude-ceo-assistant merged 1 commits from ci/pin-action-and-base-images into main

2026-05-10 08:57:54 +00:00

Author	SHA1	Message	Date
core-devops	03689e3d9a	ci: pin GitHub Actions by SHA instead of mutable tags Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s Details sop-tier-check / tier-check (pull_request) Successful in 5s Details audit-force-merge / audit (pull_request) Successful in 6s Details - actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2) in secret-pattern-drift.yml - pypa/gh-action-pypi-publish@release/v1 → @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml Mutable action tags (e.g. @v6, @release/v1) can silently resolve to different code over time, creating supply-chain risk. SHA-pinning ensures the exact commit runs every time. Workspace Dockerfile was already compliant (python:3.11-slim@sha256:...). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-10 07:55:39 +00:00

Author

SHA1

Message

Date

core-devops

03689e3d9a

ci: pin GitHub Actions by SHA instead of mutable tags

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s

Details

sop-tier-check / tier-check (pull_request) Successful in 5s

Details

audit-force-merge / audit (pull_request) Successful in 6s

Details

- actions/checkout@v6 → @de0fac2e4500dabe0009e67214ff5f5447ce83dd (v6.0.2)
  in secret-pattern-drift.yml
- pypa/gh-action-pypi-publish@release/v1 →
  @cef221092ed1bacb1cc03d23a2d87d1d172e277b in publish-runtime.yml

Mutable action tags (e.g. @v6, @release/v1) can silently resolve to
different code over time, creating supply-chain risk. SHA-pinning
ensures the exact commit runs every time. Workspace Dockerfile was
already compliant (python:3.11-slim@sha256:...).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-10 07:55:39 +00:00

ci: pin GitHub Actions by SHA instead of mutable tags #261

1 Commits