fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks (#1088)

* chore: publish from staged * fix: pin GitHub Actions to immutable SHA hashes to prevent supply chain attacks Co-authored-by: simonkurtz-MSFT <84809797+simonkurtz-MSFT@users.noreply.github.com> * chore: publish from staged * Clean plugins * Clean plugins * Clean plugins * Fix gem-team plugin * Reset README.plugins.md --------- Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
2026-03-23 17:45:12 +00:00 · 2026-03-22 18:37:40 -05:00
parent 10e717202f
commit 919fdb3f8e
13 changed files with 52 additions and 50 deletions
--- a/agents/se-gitops-ci-specialist.agent.md
+++ b/agents/se-gitops-ci-specialist.agent.md
@@ -59,7 +59,7 @@ Build reliable CI/CD pipelines, debug deployment failures quickly, and ensure ev
 18.16.0

 # CI config (.github/workflows/deploy.yml)
- uses: actions/setup-node@v3
+- uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3.9.1
  with:
    node-version-file: '.node-version'
 ```
@@ -112,7 +112,7 @@ main:
  run: npm audit --audit-level=high

 - name: Secret scanning
-  uses: trufflesecurity/trufflehog@main
+  uses: trufflesecurity/trufflehog@6c05c4a00b91aa542267d8e32a8254774799d68d # v3.93.8
 ```

 ## Step 4: Debugging Methodology
@@ -209,7 +209,7 @@ jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
      - run: npm ci
      - run: npm test