Skip to content

Comments

ci: pin all GitHub Actions to commit SHAs#2088

Merged
maxisbey merged 1 commit intomainfrom
pin-github-actions-shas
Feb 18, 2026
Merged

ci: pin all GitHub Actions to commit SHAs#2088
maxisbey merged 1 commit intomainfrom
pin-github-actions-shas

Conversation

@maxisbey
Copy link
Contributor

@maxisbey maxisbey commented Feb 18, 2026

Pin remaining GitHub Actions that were using mutable tags to specific commit SHAs for supply chain security. This ensures CI runs are reproducible and not vulnerable to tag hijacking.

Actions pinned

Action Was Now
actions/checkout @v6 @de0fac2e (v6.0.2)
astral-sh/setup-uv @v7.2.1 @803947b9 (v7.2.1)
anthropics/claude-code-action @v1 @2f8ba26a (v1.0.53)

Affected workflows

  • weekly-lockfile-update.yml
  • claude.yml
  • claude-code-review.yml

All other workflows were already pinned to SHAs.

@maxisbey
ci: pin all GitHub Actions to commit SHAs
05c7973 
Pin remaining actions that were using mutable tags to specific commit
SHAs for supply chain security. This ensures CI runs are reproducible
and not vulnerable to tag hijacking.

Actions pinned:
- actions/checkout@v6 -> de0fac2e (v6.0.2)
- astral-sh/setup-uv@v7.2.1 -> 803947b9
- anthropics/claude-code-action@v1 -> 2f8ba26a (v1.0.53)

Affected workflows:
- weekly-lockfile-update.yml
- claude.yml
- claude-code-review.yml
@maxisbey maxisbey merged commit 43d709c into main Feb 18, 2026
29 of 30 checks passed
@maxisbey maxisbey deleted the pin-github-actions-shas branch February 18, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maxisbey @Kludex