From 86936116834ef795cca9baa3adbb51619207d865 Mon Sep 17 00:00:00 2001 From: ArcSolver Date: Thu, 4 Jun 2026 18:24:29 +0900 Subject: [PATCH] =?UTF-8?q?ci:=20=EC=9B=8C=ED=81=AC=ED=94=8C=EB=A1=9C=20?= =?UTF-8?q?=EC=95=A1=EC=85=98=EC=9D=84=20Node=2024=20=EB=9F=B0=ED=83=80?= =?UTF-8?q?=EC=9E=84=20=EB=B2=84=EC=A0=84=EC=9C=BC=EB=A1=9C=20SHA=20?= =?UTF-8?q?=ED=95=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - actions/checkout @v4 → @df4cb1c (v6.0.3) - astral-sh/setup-uv @v5 → @fac544c (v8.2.0) 둘 다 Node 20→24 (2026-06-16 deprecation 해소). SHA 핀(공급망 보안), 버전은 인라인 주석. gh api로 SHA 교차검증. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/ci.yml | 4 ++-- .github/workflows/codex-review.yml | 2 +- .github/workflows/contract-drift.yml | 4 ++-- .github/workflows/release.yml | 8 ++++---- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 5417f44..40e7ec7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,10 +8,10 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11" diff --git a/.github/workflows/codex-review.yml b/.github/workflows/codex-review.yml index 20a8f02..16a39ba 100644 --- a/.github/workflows/codex-review.yml +++ b/.github/workflows/codex-review.yml @@ -13,7 +13,7 @@ jobs: review: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 diff --git a/.github/workflows/contract-drift.yml b/.github/workflows/contract-drift.yml index 89308a3..789c792 100644 --- a/.github/workflows/contract-drift.yml +++ b/.github/workflows/contract-drift.yml @@ -17,10 +17,10 @@ jobs: drift: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11" diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f480945..dba0a2b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,8 +7,8 @@ # workflow = release.yml · environment = (leave blank) # Docs: https://docs.pypi.org/trusted-publishers/ # -# Hardening note: for production, pin the actions below to commit digests -# (e.g. actions/checkout@) rather than moving tags. +# Actions below are pinned to commit SHAs (version in the trailing comment) for +# supply-chain safety — bump the SHA and comment together when updating. name: Publish on: @@ -23,10 +23,10 @@ jobs: permissions: id-token: write # required for OIDC trusted publishing steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 with: python-version: "3.11"