Skip to content

ci: pin GitHub Actions to full commit SHAs in claude.yml#362

Open
XananasX7 wants to merge 1 commit into
anthropics:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha
Open

ci: pin GitHub Actions to full commit SHAs in claude.yml#362
XananasX7 wants to merge 1 commit into
anthropics:mainfrom
XananasX7:ci/pin-actions-to-full-commit-sha

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Pins all GitHub Actions to full immutable commit SHAs instead of mutable version tags.

Vulnerability

Mutable tags (@v1, @v3, @v4, etc.) can be silently updated — a compromised action repository could deliver malicious code into CI with access to secrets and write permissions. This is the same attack class as the tj-actions/changed-files supply chain incident (March 2025).

Change

All uses: action@vX references replaced with uses: action@<full-sha> # vX. No behaviour change — pins point to the exact same code as the current tags.

References

Actions pinned

Action Tag SHA
actions/checkout v4 34e1148
anthropics/claude-code-action v1 a92e7c7

@XananasX7 XananasX7 requested a review from a team as a code owner June 28, 2026 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant