Skip to content

ci: pin third-party actions to commit SHAs (REQ-1.4.10)#14

Open
OgeonX-Ai wants to merge 1 commit into
mainfrom
ci/sha-pin-actions
Open

ci: pin third-party actions to commit SHAs (REQ-1.4.10)#14
OgeonX-Ai wants to merge 1 commit into
mainfrom
ci/sha-pin-actions

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

  • Pin every third-party action uses: reference in codeql.yml, pages.yml, pr-lint.yml, and stale.yml to a full 40-char commit SHA (trailing # vX.Y.Z comment retained).
  • No behavior change; ci.yml and static.yml were already fully SHA-pinned and are untouched.
  • CodeQL strategy.matrix.language remains ['actions'] — not modified by this PR (verified via workflow-lint + grep).
  • No Azure deploy steps present in this repo's workflows, so the workflow_dispatch operator lock does not apply here.

Note: the SHA table in the originating plan (31-04) was resolved against @v4/@v3/@v5/@v8 tags on 2026-07-06, but this repo's workflows had already moved to newer tags (@v7/@v4/@v6/@v5/@v10) via prior dependabot merges. SHAs in this PR were re-resolved live via gh api repos/<owner>/<action>/commits/<tag> against the actual tags found in each file, and cross-checked against the already-pinned SHAs in ci.yml/static.yml for consistency (they match).

Test plan

  • powershell.exe -File scripts/workflow-lint.ps1 -Path portfolio/cloud-security-service-model -Json reports zero findings against this branch content.
  • grep -n "language:" .github/workflows/codeql.yml confirms ['actions'] unchanged.

Part of REQ-1.4.10 (Phase 31 org CI supply-chain hardening).

- codeql.yml: checkout, codeql-action init/autobuild/analyze
- pages.yml: checkout, setup-python, upload-pages-artifact, deploy-pages
- pr-lint.yml: action-semantic-pull-request
- stale.yml: actions/stale
- SHAs re-resolved for current tags (v7/v4/v6/v5/v6/v10) as repo tags had
  moved ahead of the plan's interface table since it was authored
- CodeQL language matrix left unchanged (['actions'])
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@OgeonX-Ai OgeonX-Ai enabled auto-merge (squash) July 8, 2026 17:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants