Skip to content

ci: pin third-party actions to full commit SHAs (matching the existing setup-uv pin)#2249

Open
kobihikri wants to merge 1 commit into
tortoise:developfrom
kobihikri:ci-pin-third-party-actions
Open

ci: pin third-party actions to full commit SHAs (matching the existing setup-uv pin)#2249
kobihikri wants to merge 1 commit into
tortoise:developfrom
kobihikri:ci-pin-third-party-actions

Conversation

@kobihikri

Copy link
Copy Markdown

Hi, and thank you for Tortoise ORM.

CI supply-chain hardening that matches a practice you already follow. Every workflow already SHA-pins astral-sh/setup-uv (…08807647… # v8.1.0), but four third-party actions in secret-bearing jobs are still on mutable refs:

  • peaceiris/actions-gh-pages@v3 (×2, holds PERSONAL_TOKEN that pushes to tortoise/tortoise.github.io)
  • CodSpeedHQ/action@v3 (holds CODSPEED_TOKEN)
  • pypa/gh-action-pypi-publish@release/v1 (a mutable branch, holds pypi_password)

This PR pins each to the commit its current ref points at, with a version comment — same style as your setup-uv pin. I stayed on the v3 line for the two @v3 actions (no major-version change) and used the current v1 release for pypi-publish. Dependabot's github-actions ecosystem can bump these going forward.

Verified SHAs: peaceiris v3.9.3 373f7f2…, CodSpeed v3.8.1 76578c2…, pypi-publish v1.14.0 6733eb7….

For transparency: I used AI assistance to spot and draft this; I verified the refs and resolved the SHAs myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant