fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks (#1088)

* chore: publish from staged * fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com> * chore: publish from staged * Clean plugins * Clean plugins * Clean plugins * Fix gem-team plugin * Reset README.plugins.md --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-03-23 09:35:13 +00:00 · 2026-03-22 18:37:40 -05:00
parent 10e717202f
commit 919fdb3f8e
13 changed files with 52 additions and 50 deletions
--- a/.github/workflows/validate-readme.yml
+++ b/.github/workflows/validate-readme.yml
@@ -23,12 +23,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          fetch-depth: 0

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: "20"

@@ -66,7 +66,7 @@ jobs:

      - name: Comment on PR if files need updating
        if: steps.check-diff.outputs.status == 'failure' && github.event.pull_request.head.repo.permissions.push == true
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4
        with:
          header: readme-validation
          message: |