From d67620ab3a8cdf46a34ba23e7fc384fae37f961a Mon Sep 17 00:00:00 2001 From: Dan Egan Date: Thu, 18 Jun 2026 16:17:52 -0400 Subject: [PATCH 1/2] chore(deps): pin GitHub Actions to verified SHAs and refresh versions Refresh the github-actions group to current stable releases, each pinned to the full commit SHA of its tag (verified against upstream) so the ref cannot be moved out from under us. All selected versions are >7 days old to dodge freshly-published compromised releases. - actions/checkout v4.2.2 -> v6.0.3 - peter-evans/create-pull-request v7.0.5 -> v8.1.1 - github/codeql-action v3.28.0 -> v4.36.2 (clears CVE-2025-24362) - softprops/action-gh-release v2.2.0 -> v3.0.0 - pnpm/action-setup v4.0.0 -> v6.0.8 - actions/setup-node v4.1.0 -> v6.4.0 The prior dependabot branch pinned action-gh-release to a SHA that was actually v2.6.1 while the comment claimed v2.2.0; comments now match SHAs. --- .github/actions/setup/action.yml | 4 ++-- .github/workflows/auto-version-bump.yml | 4 ++-- .github/workflows/ci.yml | 14 +++++++------- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/copilot-setup-steps.yml | 2 +- .github/workflows/release.yml | 4 ++-- .github/workflows/tag-version.yml | 2 +- 7 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 207773b..92bde7d 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -5,12 +5,12 @@ runs: using: 'composite' steps: - name: Setup pnpm - uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0 + uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 with: version: 9.0.0 - name: Setup Node.js 22.14.0 - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: '.nvmrc' cache: 'pnpm' diff --git a/.github/workflows/auto-version-bump.yml b/.github/workflows/auto-version-bump.yml index 7612c3b..528d38a 100644 --- a/.github/workflows/auto-version-bump.yml +++ b/.github/workflows/auto-version-bump.yml @@ -19,7 +19,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} @@ -59,7 +59,7 @@ jobs: echo "VERSION=$NEW_VERSION" >> $GITHUB_ENV - name: Create Pull Request - uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # v7.0.5 + uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1 with: branch: bump-version-${{ github.sha }} base: main diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2891803..11e030d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Lint @@ -28,7 +28,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Type check @@ -41,7 +41,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Build @@ -54,7 +54,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Build @@ -75,7 +75,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Run tests @@ -89,7 +89,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Run tests with coverage @@ -102,7 +102,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup # First check: Report all moderate+ vulnerabilities but don't fail diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 44af105..8927010 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,19 +26,19 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Initialize CodeQL - uses: github/codeql-action/init@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: languages: ${{ matrix.language }} # Query packs to use for analysis queries: security-extended,security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3.28.0 + uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index 58cffdc..12db470 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -11,7 +11,7 @@ jobs: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - uses: ./.github/actions/setup - name: Lint diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dbfd7a5..9113e0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,7 +24,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 @@ -85,7 +85,7 @@ jobs: git push origin "v${{ env.VERSION }}" - name: Create GitHub Release - uses: softprops/action-gh-release@e7a8f85e1c67a31e6ed99a94b41bd0b71bbee6b8 # v2.2.0 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 with: tag_name: v${{ env.VERSION }} name: Release v${{ env.VERSION }} diff --git a/.github/workflows/tag-version.yml b/.github/workflows/tag-version.yml index e1a0357..3000a41 100644 --- a/.github/workflows/tag-version.yml +++ b/.github/workflows/tag-version.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 token: ${{ secrets.GITHUB_TOKEN }} From e2a6846c627eb0902151b15f9014842d09e4c713 Mon Sep 17 00:00:00 2001 From: Dan Egan Date: Thu, 18 Jun 2026 18:57:40 -0400 Subject: [PATCH 2/2] chore(deps): drop redundant pnpm version input action-setup now resolves the version from package.json's packageManager field (pnpm@9.0.0); the explicit version input duplicated it. --- .github/actions/setup/action.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 92bde7d..312d0b7 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -6,8 +6,6 @@ runs: steps: - name: Setup pnpm uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8 - with: - version: 9.0.0 - name: Setup Node.js 22.14.0 uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0