From 9b5edd6da0318e669cd38d585a911865b29af61b Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Wed, 25 Mar 2026 12:58:14 -0400 Subject: [PATCH 1/2] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 4cb365d..2a15732 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,7 +18,7 @@ jobs: releases_created: ${{ steps.release.outputs.releases_created }} steps: - - uses: google-github-actions/release-please-action@v4 + - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4 id: release with: token: ${{ secrets.GITHUB_TOKEN }} From 70e29190ae1c6e3602ed4cd57fa010ac2a99fed3 Mon Sep 17 00:00:00 2001 From: Ryan Lamb <4955475+kinyoklion@users.noreply.github.com> Date: Fri, 27 Mar 2026 11:03:15 -0700 Subject: [PATCH 2/2] Update release-please-action version to v4.4.0 --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 2a15732..fcd18f9 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,7 +18,7 @@ jobs: releases_created: ${{ steps.release.outputs.releases_created }} steps: - - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4 + - uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.4.0 id: release with: token: ${{ secrets.GITHUB_TOKEN }}