ci: pin third-party actions to commit SHAs

Replaces version tags (e.g. astral-sh/setup-uv@v6, slackapi/slack-github-action@v2.1.0)
with full commit SHAs across every workflow. Mitigates supply-chain risk from
mutable tags.
This commit is contained in:
Greyson LaLonde
2026-05-20 01:36:47 +08:00
parent da15554d81
commit fb6930d78e
11 changed files with 18 additions and 18 deletions

View File

@@ -22,7 +22,7 @@ jobs:
steps:
- name: Generate GitHub App token
id: app-token
uses: tibdex/github-app-token@v2
uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2
with:
app_id: ${{ secrets.CREWAI_TOOL_SPECS_APP_ID }}
private_key: ${{ secrets.CREWAI_TOOL_SPECS_PRIVATE_KEY }}
@@ -34,7 +34,7 @@ jobs:
token: ${{ steps.app-token.outputs.token }}
- name: Install uv
uses: astral-sh/setup-uv@v6
uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6
with:
version: "0.11.3"
python-version: "3.12"