Pin all GitHub Actions to full commit SHAs

Org policy now requires actions pinned to immutable SHAs instead of mutable version tags. Pin actions/checkout, actions/github-script, softprops/action-gh-release, and oven-sh/setup-bun across all workflows.
2026-02-24 22:21:40 -08:00 · 2026-02-24 22:21:40 -08:00 · fc3e3a4d7d
commit fc3e3a4d7d
parent 3cf1d2501f
4 changed files with 11 additions and 11 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Validate self-hosted runner guards
        run: ./tests/test_ci_self_hosted_guard.sh
@ -23,10 +23,10 @@ jobs:
        working-directory: web
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@3d267786b128fe76c2f16a390aa2448b815359f3 # v2

      - name: Install dependencies
        run: bun install --frozen-lockfile
@ -43,7 +43,7 @@ jobs:
      cancel-in-progress: false
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
        with:
          submodules: recursive