From cc2f8d67c036053bc635a43ee6b871f50738dfbd Mon Sep 17 00:00:00 2001 From: Gregory Oschwald Date: Wed, 7 Jan 2026 14:13:57 -0800 Subject: [PATCH] Pin GitHub Actions to SHA for security MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update official GitHub Actions (actions/*, github/*) to use pinned commit SHAs instead of version tags. This satisfies zizmor's unpinned-action-reference security check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .github/workflows/clang-addresssanitizer.yml | 2 +- .github/workflows/clang-analyzer.yml | 2 +- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/test.yml | 4 ++-- .github/workflows/zizmor.yml | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/clang-addresssanitizer.yml b/.github/workflows/clang-addresssanitizer.yml index 572db5cb..1772e37c 100644 --- a/.github/workflows/clang-addresssanitizer.yml +++ b/.github/workflows/clang-addresssanitizer.yml @@ -17,7 +17,7 @@ jobs: CXXFLAGS: -fsanitize=address LDFLAGS: -fsanitize=address steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: true persist-credentials: false diff --git a/.github/workflows/clang-analyzer.yml b/.github/workflows/clang-analyzer.yml index ae5a65fe..b8ee2cd1 100644 --- a/.github/workflows/clang-analyzer.yml +++ b/.github/workflows/clang-analyzer.yml @@ -10,7 +10,7 @@ jobs: name: Clang static analysis runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false - run: sudo apt install clang-tools libipc-run3-perl diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index c3985711..1225abb4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -18,7 +18,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -33,7 +33,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 - run: sudo apt install libipc-run3-perl pandoc - run: | @@ -43,4 +43,4 @@ jobs: make safedist - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f3c10ce7..87284bc0 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,7 +18,7 @@ jobs: CC: ${{ matrix.cc }} VERBOSE: 1 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: true persist-credentials: false @@ -40,7 +40,7 @@ jobs: name: CMake build on ${{matrix.os}} runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: submodules: true persist-credentials: false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index fbef643f..04c5c7d6 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -15,7 +15,7 @@ jobs: security-events: write steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false