Security: pin GitHub Actions to specific SHAs (#6480)

2026-04-05 09:41:21 -07:00 · 2026-03-29 13:04:10 -07:00
parent a81ac47be9
commit 4c3c4805c8
8 changed files with 42 additions and 42 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -13,13 +13,13 @@ jobs:
      matrix:
        shard: [1, 2, 3, 4]
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5
        with:
          version: 9

-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version: 20
          cache: pnpm
@@ -28,7 +28,7 @@ jobs:
      # Run Vitest directly so `--shard` is parsed as an option
      - run: pnpm -s exec vitest run --coverage --shard ${{ matrix.shard }}/4 --pool forks
      - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./coverage/lcov.info