Skip to content

ci: pin versions of actions and review to be certain these are correct#10627

Merged
jasonsaayman merged 1 commit into
v1.xfrom
sec/pin-github-actions
Apr 1, 2026
Merged

ci: pin versions of actions and review to be certain these are correct#10627
jasonsaayman merged 1 commit into
v1.xfrom
sec/pin-github-actions

Conversation

@jasonsaayman
Copy link
Copy Markdown
Member

@jasonsaayman jasonsaayman commented Apr 1, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Pinned all GitHub Actions in CI workflows to specific commit SHAs to harden supply chain and make runs reproducible. No behavior changes expected.

Description

  • Summary of changes
    • Replaced floating tags with commit SHAs for actions/checkout, actions/setup-node, actions/upload-artifact, actions/download-artifact, actions/dependency-review-action, peter-evans/create-pull-request, and github/ai-moderator across moderator.yml, publish.yml, release-branch.yml, run-ci.yml, and update-sponsor-block.yml.
  • Reasoning
    • Prevents unexpected updates and reduces supply‑chain risk.
  • Additional context
    • Kept inline version comments for clarity. No workflow logic changes.

Docs

  • No docs updates needed. Maintain pinned SHAs when upgrading Actions.

Testing

  • No tests added or changed. CI-only change; existing workflows should continue to pass. No additional tests needed.

Written for commit f52e6ad. Summary will update on new commits.

@jasonsaayman jasonsaayman self-assigned this Apr 1, 2026
@jasonsaayman jasonsaayman added priority::high A high priority issue commit::ci The PR is related to CI labels Apr 1, 2026
@jasonsaayman
Copy link
Copy Markdown
Member Author

jasonsaayman commented Apr 1, 2026

see #10615 for original attribution

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 5 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@jasonsaayman jasonsaayman merged commit e9a1db9 into v1.x Apr 1, 2026
26 of 27 checks passed
@jasonsaayman jasonsaayman deleted the sec/pin-github-actions branch April 1, 2026 18:08
@shaanmajid shaanmajid mentioned this pull request Apr 1, 2026
Merged
@jasonsaayman jasonsaayman restored the sec/pin-github-actions branch April 2, 2026 13:24
@jasonsaayman jasonsaayman deleted the sec/pin-github-actions branch April 2, 2026 13:25
@shaanmajid shaanmajid mentioned this pull request Apr 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

@jasonsaayman jasonsaayman

Labels

commit::ci The PR is related to CI priority::high A high priority issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jasonsaayman