Skip to content

Commit 60f2382

Browse files
wilson-clwilson-cl
committed
pin sha
1 parent 382f55e commit 60f2382

File tree

1 file changed

+10
-8
lines changed

1 file changed

+10
-8
lines changed

.github/workflows/generate-ea.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ jobs:
3232
steps:
3333
- name: Check commenter permissions
3434
if: github.event_name == 'issue_comment'
35-
uses: actions/github-script@v7
35+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
3636
with:
3737
script: |
3838
const { data: permission } = await github.rest.repos.getCollaboratorPermissionLevel({
@@ -48,29 +48,31 @@ jobs:
4848
- name: Get PR details (for comment trigger)
4949
if: github.event_name == 'issue_comment'
5050
id: pr
51-
uses: actions/github-script@v7
51+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
5252
with:
5353
script: |
5454
const { data: pr } = await github.rest.pulls.get({
5555
owner: context.repo.owner,
5656
repo: context.repo.repo,
5757
pull_number: context.issue.number
5858
});
59+
core.setOutput('head_sha', pr.head.sha);
5960
core.setOutput('head_ref', pr.head.ref);
6061
core.setOutput('number', pr.number);
6162
6263
- name: Check out repository
63-
uses: actions/[email protected]
64+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
6465
with:
65-
ref: ${{ github.event_name == 'issue_comment' && steps.pr.outputs.head_ref || github.head_ref }}
66+
# Use SHA for immutable reference (prevents TOCTOU attacks)
67+
ref: ${{ github.event_name == 'issue_comment' && steps.pr.outputs.head_sha || github.event.pull_request.head.sha }}
6668
fetch-depth: 0
6769
token: ${{ github.token }}
6870

6971
- name: Install uv
7072
uses: astral-sh/setup-uv@e4db8464a088ece1b920f60402e813ea4de65b8f # v4
7173

7274
- name: Set up Python
73-
uses: actions/[email protected]
75+
uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3 # v5.2.0
7476
with:
7577
python-version: "3.11"
7678

@@ -107,7 +109,7 @@ jobs:
107109
108110
- name: Get YAML file from PR
109111
id: yaml
110-
uses: actions/github-script@v7
112+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
111113
with:
112114
script: |
113115
// Determine PR number based on trigger type
@@ -160,7 +162,7 @@ jobs:
160162
uv sync
161163
162164
- name: Install Node.js
163-
uses: actions/[email protected]
165+
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
164166
with:
165167
node-version: '22'
166168

@@ -212,7 +214,7 @@ jobs:
212214
echo "✅ Changes committed and pushed"
213215
214216
- name: Update PR description
215-
uses: actions/github-script@v7
217+
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
216218
with:
217219
script: |
218220
const jiraKey = '${{ steps.yaml.outputs.jira_key }}';

0 commit comments

Comments
 (0)