From f37510f3f897d1a36dbb8de59c84b315ecb5ff8f Mon Sep 17 00:00:00 2001 From: Brian G Date: Tue, 12 May 2026 10:22:41 +0100 Subject: [PATCH] chore: pin GitHub Actions to commit SHAs Pin every `uses:` ref in .github/workflows and composite actions to a full 40-character commit SHA, with the original tag preserved as a comment, e.g. uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 Tags and branches are mutable; commit SHAs are not. Pinning to a SHA closes a supply-chain vector where a compromised action could replace what runs in CI without changing the tag we reference. Generated mechanically with `pinact run` (https://github.com/suzuki-shunsuke/pinact). No version bumps were applied (strict pin). --- .github/workflows/nft-resolver-tests.yml | 4 ++-- .github/workflows/security-code-scanner.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/nft-resolver-tests.yml b/.github/workflows/nft-resolver-tests.yml index b313d19..6960a95 100644 --- a/.github/workflows/nft-resolver-tests.yml +++ b/.github/workflows/nft-resolver-tests.yml @@ -11,11 +11,11 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Cache node modules id: cache-npm - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 env: cache-name: cache-node-modules with: diff --git a/.github/workflows/security-code-scanner.yml b/.github/workflows/security-code-scanner.yml index c806541..7a9b28d 100644 --- a/.github/workflows/security-code-scanner.yml +++ b/.github/workflows/security-code-scanner.yml @@ -17,7 +17,7 @@ on: jobs: security-scan: - uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@v2 + uses: MetaMask/action-security-code-scanner/.github/workflows/security-scan.yml@1cd598629833fa9fc1694f03abfce8d21b72eb5d # v2.0.6 permissions: actions: read contents: read