[PR #365] [MERGED] ci: pin workflow action versions to specific commits #397

Closed
opened 2026-06-05 17:22:56 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/langchain-ai/deepagentsjs/pull/365
Author: @jkennedyvz
Created: 3/25/2026
Status: Merged
Merged: 3/25/2026
Merged by: @jkennedyvz

Base: mainHead: ci/pin-workflow-action-versions


📝 Commits (1)

  • 5d06a21 ci: pin workflow action versions to specific commits

📊 Changes

2 files changed (+12 additions, -12 deletions)

View changed files

📝 .github/workflows/cli-release.yml (+11 -11)
📝 .github/workflows/pr_lint.yml (+1 -1)

📄 Description

Improves security and reproducibility by pinning all GitHub Actions to specific commit SHAs.

Changes:

  • cli-release.yml: Pin all actions (checkout, setup-python, setup-node, pnpm, upload-artifact, download-artifact, action-gh-release) to specific SHAs
  • pr_lint.yml: Change permissions from pull-requests: read to contents: read to reduce unnecessary secret exposure on pull_request triggers

Benefits:

  • Prevents supply chain attacks via action version hijacking
  • Ensures exact reproducibility of workflows
  • Follows GitHub security best practices

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/langchain-ai/deepagentsjs/pull/365 **Author:** [@jkennedyvz](https://github.com/jkennedyvz) **Created:** 3/25/2026 **Status:** ✅ Merged **Merged:** 3/25/2026 **Merged by:** [@jkennedyvz](https://github.com/jkennedyvz) **Base:** `main` ← **Head:** `ci/pin-workflow-action-versions` --- ### 📝 Commits (1) - [`5d06a21`](https://github.com/langchain-ai/deepagentsjs/commit/5d06a21e911da2f85beca38e72848a2b3e20f079) ci: pin workflow action versions to specific commits ### 📊 Changes **2 files changed** (+12 additions, -12 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/cli-release.yml` (+11 -11) 📝 `.github/workflows/pr_lint.yml` (+1 -1) </details> ### 📄 Description Improves security and reproducibility by pinning all GitHub Actions to specific commit SHAs. Changes: - cli-release.yml: Pin all actions (checkout, setup-python, setup-node, pnpm, upload-artifact, download-artifact, action-gh-release) to specific SHAs - pr_lint.yml: Change permissions from `pull-requests: read` to `contents: read` to reduce unnecessary secret exposure on `pull_request` triggers Benefits: - Prevents supply chain attacks via action version hijacking - Ensures exact reproducibility of workflows - Follows GitHub security best practices --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 17:22:56 -04:00
yindo closed this issue 2026-06-05 17:22:56 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/deepagentsjs#397