diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5417f44..40e7ec7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,10 +8,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11" diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 20a8f02..16a39ba 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -13,7 +13,7 @@ jobs: review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/.github/workflows/contract-drift.yml b/.github/workflows/contract-drift.yml index 89308a3..789c792 100644 --- a/.github/workflows/contract-drift.yml +++ b/.github/workflows/contract-drift.yml @@ -17,10 +17,10 @@ jobs: drift: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f480945..dba0a2b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,8 @@ # workflow = release.yml · environment = (leave blank) # Docs: https://docs.pypi.org/trusted-publishers/ # -# Hardening note: for production, pin the actions below to commit digests -# (e.g. actions/checkout@) rather than moving tags. +# Actions below are pinned to commit SHAs (version in the trailing comment) for +# supply-chain safety — bump the SHA and comment together when updating. name: Publish on: @@ -23,10 +23,10 @@ jobs: permissions: id-token: write # required for OIDC trusted publishing steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11"