From 79cd155da12543a4f1b2b957f86a73c2564b2b7c Mon Sep 17 00:00:00 2001
From: Chisanan232 <chi10211201@cycu.org.tw>
Date: Thu, 25 Jun 2026 20:09:36 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20(ci):=20Pin=20rw=5Fupload=5Ftest?=
 =?UTF-8?q?=5Fcov=5Freport=20reusable=20workflow=20to=20commit=20SHA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin the 5 call sites of Chisanan232/GitHub-Action_Reusable_Workflows-Python
rw_upload_test_cov_report.yaml from the mutable @master ref to commit
4a6480470b90c0b6139e05489868585fa50aad6f. These jobs forward CODECOV_TOKEN
and SONAR_TOKEN, so a compromised upstream master could exfiltrate the
secrets; a SHA pin makes the third-party code immutable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/rw_run_all_test_and_record.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/rw_run_all_test_and_record.yaml b/.github/workflows/rw_run_all_test_and_record.yaml
index 710e667..52ff90a 100644
--- a/.github/workflows/rw_run_all_test_and_record.yaml
+++ b/.github/workflows/rw_run_all_test_and_record.yaml
@@ -45,7 +45,7 @@ jobs:
         ) 
       }}
     needs: build-and-test
-    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@master
+    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master (4a64804, 2026-05-26)
     secrets:
       codecov_token: ${{ secrets.codecov_token }}
     with:
@@ -66,7 +66,7 @@ jobs:
         )
       }}
     needs: build-and-test
-    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@master
+    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master (4a64804, 2026-05-26)
     secrets:
       codecov_token: ${{ secrets.codecov_token }}
     with:
@@ -88,7 +88,7 @@ jobs:
         inputs.run_e2e == true
       }}
     needs: build-and-test
-    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@master
+    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master (4a64804, 2026-05-26)
     secrets:
       codecov_token: ${{ secrets.codecov_token }}
     with:
@@ -109,7 +109,7 @@ jobs:
         )
       }}
     needs: build-and-test
-    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@master
+    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master (4a64804, 2026-05-26)
     secrets:
       codecov_token: ${{ secrets.codecov_token }}
     with:
@@ -130,7 +130,7 @@ jobs:
         )
       }}
     needs: build-and-test
-    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@master
+    uses: Chisanan232/GitHub-Action_Reusable_Workflows-Python/.github/workflows/rw_upload_test_cov_report.yaml@4a6480470b90c0b6139e05489868585fa50aad6f # master (4a64804, 2026-05-26)
     secrets:
       codecov_token: ${{ secrets.codecov_token }}
     with: