From c49011a9907fecca908af089333c1e912ceaf467 Mon Sep 17 00:00:00 2001 From: Roy Dahan Date: Mon, 8 Jun 2026 03:58:35 +0300 Subject: [PATCH] ci: pin GitHub Actions to commit SHAs Pin all external GitHub Actions to full commit SHAs to reduce supply chain attack surface. Upgrade outdated actions to their latest versions. Reference: https://github.com/scylladb/scylladb/pull/29421 --- .github/workflows/publish_package_on_release.yml | 4 ++-- .github/workflows/pull_request.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish_package_on_release.yml b/.github/workflows/publish_package_on_release.yml index 29b7ef1f2..f1086f6ef 100644 --- a/.github/workflows/publish_package_on_release.yml +++ b/.github/workflows/publish_package_on_release.yml @@ -11,13 +11,13 @@ jobs: steps: - name: Check out from Git - uses: actions/checkout@v3 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Get history and tags for SCM versioning run: | git fetch --prune --unshallow git fetch --depth=1 origin +refs/tags/*:refs/tags/* - name: Set up Python 3.11 - uses: actions/setup-python@v4 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: 3.11 - name: Install pypa/build diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index e9de2c3b9..d22766f7c 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -17,9 +17,9 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup Python ${{ matrix.python-version }} - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }}