Skip to content

Commit 6980cef

Browse files
oschwaldclaude
oschwald
and
claude
committed
Pin GitHub Actions to SHA for security
Update official GitHub Actions (actions/*, github/*) to use pinned commit SHAs instead of version tags. This satisfies zizmor's unpinned-action-reference security check. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <[email protected]>
1 parent bfb81ea commit 6980cef

File tree

7 files changed

+13
-13
lines changed

7 files changed

+13
-13
lines changed

.github/workflows/address-sanitizer.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
LDFLAGS: -fsanitize=address
1919
steps:
2020
- name: Checkout
21-
uses: actions/checkout@v6
21+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2222
with:
2323
submodules: true
2424
persist-credentials: false

.github/workflows/clang-analyzer.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout
17-
uses: actions/checkout@v6
17+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
1818
with:
1919
submodules: true
2020
persist-credentials: false

.github/workflows/codeql-analysis.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020

2121
steps:
2222
- name: Checkout repository
23-
uses: actions/checkout@v6
23+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2424
with:
2525
fetch-depth: 2
2626
submodules: true
@@ -29,7 +29,7 @@ jobs:
2929
if: ${{ github.event_name == 'pull_request' }}
3030

3131
- name: Initialize CodeQL
32-
uses: github/codeql-action/init@v4
32+
uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
3333
with:
3434
languages: python, cpp
3535

@@ -41,4 +41,4 @@ jobs:
4141
MAXMINDDB_REQUIRE_EXTENSION: 1
4242

4343
- name: Perform CodeQL Analysis
44-
uses: github/codeql-action/analyze@v4
44+
uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9

.github/workflows/release.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -56,7 +56,7 @@ jobs:
5656
runs-on: windows-latest
5757

5858
steps:
59-
- uses: actions/checkout@v6
59+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
6060
with:
6161
submodules: true
6262
persist-credentials: false
@@ -82,7 +82,7 @@ jobs:
8282
CIBW_ARCHS: ${{ matrix.archs || 'auto' }}
8383
MAXMINDDB_REQUIRE_EXTENSION: 1
8484

85-
- uses: actions/upload-artifact@v6
85+
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
8686
with:
8787
name: maxminddb-whl-${{ matrix.os }}-${{ strategy.job-index }}
8888
path: ./wheelhouse/*.whl
@@ -91,15 +91,15 @@ jobs:
9191
name: Build source distribution
9292
runs-on: ubuntu-latest
9393
steps:
94-
- uses: actions/checkout@v6
94+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
9595
with:
9696
submodules: true
9797
persist-credentials: false
9898

9999
- name: Build sdist
100100
run: pipx run build --sdist
101101

102-
- uses: actions/upload-artifact@v6
102+
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
103103
with:
104104
name: maxminddb-sdist
105105
path: dist/*.tar.gz
@@ -112,7 +112,7 @@ jobs:
112112
id-token: write
113113
if: github.event_name == 'release' && github.event.action == 'published'
114114
steps:
115-
- uses: actions/download-artifact@v7
115+
- uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
116116
with:
117117
pattern: maxminddb-*
118118
path: dist

.github/workflows/test-libmaxminddb.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ jobs:
2626
MM_FORCE_EXT_TESTS: 1
2727

2828
steps:
29-
- uses: actions/checkout@v6
29+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
3030
with:
3131
submodules: true
3232
persist-credentials: false

.github/workflows/test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
env: ["3.10", 3.11, 3.12, 3.13, 3.14]
1919
os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest, windows-latest]
2020
steps:
21-
- uses: actions/checkout@v6
21+
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
2222
with:
2323
submodules: true
2424
persist-credentials: false

.github/workflows/zizmor.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
security-events: write
1616
steps:
1717
- name: Checkout repository
18-
uses: actions/checkout@v6
18+
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
1919
with:
2020
persist-credentials: false
2121

0 commit comments

Comments
 (0)