From b3cc3575c8dcb1d277d30a830886fce2b6829d3c Mon Sep 17 00:00:00 2001 From: Semgrep Autofix Date: Fri, 20 Mar 2026 14:34:27 +0000 Subject: [PATCH] chore: Pin release-please-action to full commit SHA Pin the `googleapis/release-please-action` to a full commit SHA to mitigate supply chain attack risks. ## Changes - Pin `googleapis/release-please-action@v4` to commit SHA `7987652d64b54f048af0955c00c6c20444d67d5a` - Add version comment (`# v4`) for maintainability ## Why Using a version tag like `v4` means the workflow references a mutable pointer that could be changed by a bad actor who gains access to the action's repository. Pinning to the full 40-character commit SHA ensures the workflow uses an immutable reference, requiring an attacker to generate a SHA-1 collision to inject malicious code. ## Semgrep Finding Details An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. @pkaeding@launchdarkly.com requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/launchdarkly/findings/726547317). --- .github/workflows/release-please.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index a86f793..75969c0 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -20,7 +20,7 @@ jobs: - 8500:8500 steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@7987652d64b54f048af0955c00c6c20444d67d5a # v4 id: release - uses: actions/checkout@v4