From 20ca6ec5a73743bba6213a311da2441eb4f6ade7 Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Tue, 31 Mar 2026 18:45:12 -0400 Subject: [PATCH 1/2] [SEC-7924] chore: pin third-party GitHub Actions to commit SHAs Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the third-party-action-not-pinned-to-commit-sha Semgrep rule. --- .github/workflows/check-go-versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index 764f5888..ea3a1a4f 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -63,7 +63,7 @@ jobs: - name: Create pull request if: steps.update-go-versions.outcome == 'success' - uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.0.0 + uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: | From 8bd63db7f98368d58054086ff5ca81c515493eb0 Mon Sep 17 00:00:00 2001 From: Patrick Kaeding Date: Wed, 1 Apr 2026 12:46:46 -0400 Subject: [PATCH 2/2] Apply suggestion from @keelerm84 Co-authored-by: Matthew M. Keeler --- .github/workflows/check-go-versions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-go-versions.yml b/.github/workflows/check-go-versions.yml index ea3a1a4f..cdc7cd4d 100644 --- a/.github/workflows/check-go-versions.yml +++ b/.github/workflows/check-go-versions.yml @@ -63,7 +63,7 @@ jobs: - name: Create pull request if: steps.update-go-versions.outcome == 'success' - uses: peter-evans/create-pull-request@b1ddad2c994a25fbc81a28b3ec0e368bb2021c50 # v6.0.0 + uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0 with: token: ${{ secrets.GITHUB_TOKEN }} add-paths: |