From b5665496396a22d18951eea8c1669c9fd3665869 Mon Sep 17 00:00:00 2001 From: KiloClaw Security Date: Sun, 28 Jun 2026 04:16:50 +0000 Subject: [PATCH] ci: pin GitHub Actions to full commit SHAs Pin unpinned action references to immutable commit SHAs. Version tags retained as inline comments. See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions --- .github/workflows/build-pull-request.yml | 2 +- .github/workflows/verify.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-pull-request.yml b/.github/workflows/build-pull-request.yml index 943884c4e85..b1bf9554b3e 100644 --- a/.github/workflows/build-pull-request.yml +++ b/.github/workflows/build-pull-request.yml @@ -18,7 +18,7 @@ jobs: uses: ./.github/actions/print-jvm-thread-dumps - name: Upload Build Reports if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-reports path: '**/build/reports/' diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 1c28390bde1..0cab8281293 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -49,7 +49,7 @@ jobs: path: send-notification sparse-checkout: .github/actions/send-notification - name: Set Up Java - uses: actions/setup-java@v5 + uses: actions/setup-java@1bcf9fb12cf4aa7d266a90ae39939e61372fe520 # v5 with: distribution: 'liberica' java-version: 17 @@ -80,7 +80,7 @@ jobs: run: ./gradlew spring-boot-release-verification-tests:test - name: Upload Build Reports on Failure if: failure() - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 with: name: build-reports path: '**/build/reports/'