Skip to content

Commit c8f9ac0

Browse files
jimisolaJimisola Laursen
jimisola
and
Jimisola Laursen
authored
build: SHA-pin GitHub Actions for supply-chain security (#82)
* build: SHA-pin GitHub Actions for supply-chain security Pin external action references to exact commit SHAs instead of branch or major-version tags to prevent supply-chain attacks. Signed-off-by: jimisola <jimisola@jimisola.com> * build: remove shared workflow SHA pin Revert check-semantic-pr.yml — shared workflow pinning will be handled separately via semver tagging of the .github repo. Signed-off-by: jimisola <jimisola@jimisola.com> --------- Signed-off-by: jimisola <jimisola@jimisola.com> Co-authored-by: Jimisola Laursen <jimisola.laursen@resurs.se>
1 parent a2ba626 commit c8f9ac0

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

.github/workflows/publish_pypi_prod.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,6 @@ jobs:
3131
path: dist
3232
- name: Publish distribution 📦 to PyPI
3333
# if: startsWith(github.ref, 'refs/tags')
34-
uses: pypa/gh-action-pypi-publish@release/v1
34+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
3535
with:
3636
sign-artifacts: true

.github/workflows/publish_pypi_test.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ jobs:
2828
name: dist
2929
path: dist
3030
- name: Publish distribution 📦 to Test PyPI
31-
uses: pypa/gh-action-pypi-publish@release/v1
31+
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
3232
with:
3333
repository-url: https://test.pypi.org/legacy/
3434
sign-artifacts: true

0 commit comments

Comments
 (0)