Summary
All GitHub Actions referenced in .github/workflows/ci.yml are currently pinned to mutable tag references (e.g., @v5, @v6). Mutable tags can be moved by upstream maintainers or attackers to point to a different (potentially malicious) commit, introducing a supply-chain risk.
Actions to pin
The following action references should be updated to use their full commit SHA, with the human-readable tag preserved in an inline comment:
actions/checkout@v6 (lines 15, 51)actions/setup-python@v6 (lines 18, 56)astral-sh/setup-uv@v5 (lines 21, 61)
Example fix
- name: Install uv
uses: astral-sh/setup-uv@<full_commit_sha> # v5
Apply the same pattern to all occurrences of actions/checkout and actions/setup-python.
References
Summary
All GitHub Actions referenced in
.github/workflows/ci.ymlare currently pinned to mutable tag references (e.g.,@v5,@v6). Mutable tags can be moved by upstream maintainers or attackers to point to a different (potentially malicious) commit, introducing a supply-chain risk.Actions to pin
The following action references should be updated to use their full commit SHA, with the human-readable tag preserved in an inline comment:
actions/checkout@v6(lines 15, 51)actions/setup-python@v6(lines 18, 56)astral-sh/setup-uv@v5(lines 21, 61)Example fix
Apply the same pattern to all occurrences of
actions/checkoutandactions/setup-python.References