Skip to content

Comments

Pin actions/checkout to immutable SHA across all workflow files#21

Merged
pmalarme merged 2 commits intofeature/add-documentation-and-copilot-instructionsfrom
copilot/sub-pr-18-another-one
Feb 19, 2026
Merged

Pin actions/checkout to immutable SHA across all workflow files#21
pmalarme merged 2 commits intofeature/add-documentation-and-copilot-instructionsfrom
copilot/sub-pr-18-another-one

Conversation

Copy link
Contributor

Copilot AI commented Feb 19, 2026

All workflow files were referencing actions/checkout@v6 — a mutable (and non-existent) tag, exposing workflows to both runtime failures and supply-chain substitution attacks.

Changes

  • Replaced actions/checkout@v6 with the SHA-pinned equivalent in all 8 workflow files:
    • monorepo-release.yml
    • python-code-quality.yml
    • python-tests.yml
    • python-package-build.yml
    • python-docker-build.yml (2 steps)
    • python-release.yml
    • python-docs.yml
    • codeql-analysis.yml

Before:

- name: Checkout
  uses: actions/checkout@v6

After:

- name: Checkout
  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

SHA matches what security-review.lock.yml already uses as the canonical pinned reference.

Testing

  • Not run (why?)
  • uv run poe check
  • Other: No executable code changed — YAML-only. Verified no remaining @v* checkout references via grep.

Checklist

  • Linked issue or task reference
  • Added/updated tests where relevant
  • Updated docs/README if needed
  • No secrets or sensitive data added
  • Considered backward compatibility and deployment impact

Additional context


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Co-authored-by: pmalarme <686568+pmalarme@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on documentation and copilot instructions Pin actions/checkout to immutable SHA across all workflow files Feb 19, 2026
Copilot AI requested a review from pmalarme February 19, 2026 11:51
@pmalarme pmalarme marked this pull request as ready for review February 19, 2026 11:56
@pmalarme pmalarme merged commit 7257783 into feature/add-documentation-and-copilot-instructions Feb 19, 2026
10 checks passed
@pmalarme pmalarme deleted the copilot/sub-pr-18-another-one branch February 19, 2026 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants