From 326cc6e2fa784b0d61dbea7cb2c2bdfbdad22cea Mon Sep 17 00:00:00 2001
From: Gokul Krishnaa Devaraju <gokuldevaraju330@bitgo.com>
Date: Tue, 9 Jun 2026 15:29:16 -0700
Subject: [PATCH] fix(scripts): pin EricCrosson/retry to v1.4.8 with SHA256
 digest

Pins the retry binary to an exact version and checksum to address
supply-chain security concerns in the npm publish pipeline.

WCN-865
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/npmjs-release.yml | 2 +-
 .github/workflows/publish.yml       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/npmjs-release.yml b/.github/workflows/npmjs-release.yml
index 49f740d471..ab3ef1e1c6 100644
--- a/.github/workflows/npmjs-release.yml
+++ b/.github/workflows/npmjs-release.yml
@@ -239,7 +239,7 @@ jobs:
       - name: Install retry
         uses: BitGo/install-github-release-binary@v2
         with:
-          targets: EricCrosson/retry@v1
+          targets: EricCrosson/retry@v1.4.8:sha256-15224553f40d5d16dcc1a696798741227c79670a41f43e522002e634aa1d7c64
 
       - name: Run yarn audit
         run: retry --up-to 2x --every 3s -- yarn run audit-high --retry-on-network-failure
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 85b7f58459..f7239ea240 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Install retry
         uses: BitGo/install-github-release-binary@v2
         with:
-          targets: EricCrosson/retry@v1
+          targets: EricCrosson/retry@v1.4.8:sha256-15224553f40d5d16dcc1a696798741227c79670a41f43e522002e634aa1d7c64
 
       - name: Audit Dependencies
         run: retry --up-to 2x --every 3s -- yarn run improved-yarn-audit --min-severity high --retry-on-network-failure