From 1a9006e1ce7fc504bb9e6ded20877e2437297396 Mon Sep 17 00:00:00 2001 From: tehw0lf Date: Thu, 2 Jul 2026 18:43:51 +0200 Subject: [PATCH] fix(ci): pin action SHAs in security-scan.yml to prevent supply-chain attacks Pins dawidd6/action-download-artifact and actions/upload-artifact to full commit SHAs instead of mutable version tags, resolving Semgrep findings (github-actions-mutable-action-tag). --- .github/workflows/security-scan.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 8c8cac6..0ba23fd 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -49,7 +49,7 @@ jobs: steps: - name: Download latest dist artifacts from CI - uses: dawidd6/action-download-artifact@v6 + uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6 with: workflow: build.yml name: dist @@ -58,7 +58,7 @@ jobs: - name: Upload artifacts for scanning if: hashFiles('dist/**/*') != '' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: build path: dist/