From c1d5b2298f2b567e0aaddb19dc11cad54a134d76 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 5 Jul 2026 03:10:45 +0000 Subject: [PATCH] ci(security): pin GitHub Actions to full commit SHAs Pin actions/checkout and actions/setup-node to immutable commit SHAs (with the resolved version in a trailing comment) across all three workflows instead of the mutable `@v4` major tag. Mutable tags can be force-moved by a compromised or hijacked action maintainer to point at malicious code. The publish workflow runs with `id-token: write` and holds `NPM_PUBLISH_TOKEN`, so a moved tag there could exfiltrate the npm token or publish a backdoored release under this package's name. Pinning to a SHA makes every workflow run use exactly the audited code. This is the OpenSSF Scorecard "Pinned-Dependencies" recommendation and appropriate dogfooding for a supply-chain security tool. Dependabot's github-actions ecosystem understands the `@ # ` format and keeps the pins current, so this composes with automated updates rather than freezing the versions. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01QvQQy7fpkxLaR1idLHgX2e --- .github/workflows/auto-tag.yml | 4 ++-- .github/workflows/ci.yml | 4 ++-- .github/workflows/publish.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml index d21635b..d12f96b 100644 --- a/.github/workflows/auto-tag.yml +++ b/.github/workflows/auto-tag.yml @@ -12,12 +12,12 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fad540b..8f64cf2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,10 +8,10 @@ jobs: ci: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' cache: 'npm' diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 575daf9..6584f25 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,9 +15,9 @@ jobs: name: Build & Publish runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: '20' registry-url: 'https://registry.npmjs.org'