Commit 80ac1da
authored
chore: pin third-party GitHub Actions to commit SHAs (#42)
## Summary
Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks.
Addresses findings from the
[`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml)
Semgrep rule.
## Test plan
- [ ] Verify CI passes with pinned action SHAs
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: workflow-only changes that pin action versions; main risk is
CI/release failing if the pinned SHAs are incorrect or later revoked.
>
> **Overview**
> Pins `googleapis/release-please-action` and
`pypa/gh-action-pypi-publish` to full commit SHAs in the
`release-please` and `manual-publish` workflows (instead of floating
tags), improving supply-chain hardening without changing the release
logic.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f6b6759. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->2 files changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
37 | | - | |
| 37 | + | |
38 | 38 | | |
39 | 39 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
15 | | - | |
| 15 | + | |
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
| |||
44 | 44 | | |
45 | 45 | | |
46 | 46 | | |
47 | | - | |
| 47 | + | |
48 | 48 | | |
49 | 49 | | |
0 commit comments