Pin all versions of any uses: in the sast, test-claudecode.yaml and action.yaml files

Eduard-Voiculescu · Eduard-Voiculescu · commit 788b2bc6ec12 · 2026-01-12T12:35:28.000-05:00
Instead of using @Version, pin all github actions uses to a specific commit hash. This makes is that much harder for a supply chain attack to occur.
diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
@@ -14,12 +14,12 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
-      
-      - uses: ./  # Points directly to action.yml
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 pinned to commit hash
+
+      - uses: ./ # Points directly to action.yml
         with:
           comment-pr: true
           upload-results: true
           exclude-directories: "tests/vulnerable"
           claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
-          run-every-commit: true
+          run-every-commit: true
diff --git a/.github/workflows/test-claudecode.yml b/.github/workflows/test-claudecode.yml
@@ -16,45 +16,45 @@ permissions:
 jobs:
   test-claudecode:
     runs-on: ubuntu-latest
-    
+
     steps:
-    - uses: actions/checkout@v4
-    
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: '3.10'
-    
-    - name: Set up Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-    
-    - name: Install Claude CLI
-      run: |
-        npm install -g @anthropic-ai/claude-code
-    
-    - name: Install dependencies
-      run: |
-        pip install pytest pytest-cov
-        pip install -r claudecode/requirements.txt
-    
-    - name: Run ClaudeCode unit tests
-      run: |
-        export PYTHONPATH="${PYTHONPATH}:${PWD}"
-        pytest claudecode -v --cov=claudecode --cov-report=term-missing
-    
-    - name: Install Bun
-      uses: oven-sh/setup-bun@v2
-      with:
-        bun-version: latest
-    
-    - name: Install script dependencies
-      run: |
-        cd scripts
-        bun install
-    
-    - name: Run comment script tests
-      run: |
-        cd scripts
-        bun test
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 pinned to commit hash
+
+      - name: Set up Python
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 pinned to commit hash
+        with:
+          python-version: "3.10"
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 pinned to commit hash
+        with:
+          node-version: "20"
+
+      - name: Install Claude CLI
+        run: |
+          npm install -g @anthropic-ai/claude-code
+
+      - name: Install dependencies
+        run: |
+          pip install pytest pytest-cov
+          pip install -r claudecode/requirements.txt
+
+      - name: Run ClaudeCode unit tests
+        run: |
+          export PYTHONPATH="${PYTHONPATH}:${PWD}"
+          pytest claudecode -v --cov=claudecode --cov-report=term-missing
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0 pinned to commit hash
+        with:
+          bun-version: latest
+
+      - name: Install script dependencies
+        run: |
+          cd scripts
+          bun install
+
+      - name: Run comment script tests
+        run: |
+          cd scripts
+          bun test
diff --git a/action.yml b/action.yml
@@ -69,14 +69,14 @@ runs:
         echo "::endgroup::"
     
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 pinned to commit hash
       with:
         python-version: '3.x'
     
     - name: Check ClaudeCode run history
       id: claudecode-history
       if: github.event_name == 'pull_request'
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 pinned to commit hash
       with:
         path: .claudecode-marker
         key: claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number }}-${{ github.sha }}
@@ -149,14 +149,14 @@ runs:
     
     - name: Save ClaudeCode reservation to cache
       if: steps.claudecode-check.outputs.enable_claudecode == 'true' && github.event_name == 'pull_request'
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 pinned to commit hash
       with:
         path: .claudecode-marker
         key: claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number }}-${{ github.sha }}
     
     - name: Set up Node.js
       if: steps.claudecode-check.outputs.enable_claudecode == 'true'
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 pinned to commit hash
       with:
         node-version: '18'
     
@@ -307,7 +307,7 @@ runs:
     
     - name: Upload scan results
       if: always() && inputs.upload-results == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 pinned to commit hash
       with:
         name: security-review-results
         path: |
