Pin anthropics/claude-code-action to commit SHA to mitigate RCE vulnerability

[Copilot]

Mutable tag references in GitHub Actions allow attackers to alter third-party actions and execute arbitrary code in CI, potentially exfiltrating secrets or injecting backdoors.

Changes

• Pin anthropics/claude-code-action@v1 to commit SHA ea36d6abdedc17fc2a671b36060770b208a6f8f1
• Add inline comment documenting the v1 tag reference for future maintainers

# Before
uses: anthropics/claude-code-action@v1

# After  
uses: anthropics/claude-code-action@ea36d6abdedc17fc2a671b36060770b208a6f8f1 # v1

Trade-off

Future upstream updates to the v1 tag will not auto-apply. SHA must be manually updated to pull in new versions.

Original prompt

Security Issue

Remote code execution (RCE) vulnerability from unpinned third-party action in GitHub Actions workflow.

Risk: An attacker could alter the action and run arbitrary code in CI, exfiltrating secrets, tampering with artifacts, or injecting backdoors into build outputs.

Root Cause: The workflow references third-party actions by tag or branch. Without a 40-character commit SHA pin, the action is mutable and its integrity cannot be guaranteed.

Required Fix

In .github/workflows/claude.yml at line 35, pin the third-party action anthropics/claude-code-action@v1 to a full-length commit SHA.

Action to fix: anthropics/claude-code-action@v1

Steps:

1. Find the latest commit SHA for the v1 tag of anthropics/claude-code-action
2. Replace uses: anthropics/claude-code-action@v1 with uses: anthropics/claude-code-action@<40-hex-sha>
3. Add a comment indicating what version/tag this SHA corresponds to for future reference

Example format:

- name: Run Claude Code
  uses: anthropics/claude-code-action@abc123def456... # v1

Constraints

• Keep changes minimal - only modify the action reference on line 35
• Do not change any other part of the workflow
• Ensure the commit SHA is exactly 40 hexadecimal characters
• Add a comment to document which version the SHA represents

Impact

Pinning to an exact commit prevents automatic updates from tags/branches. Future upstream changes will not apply until the pinned SHA is manually updated.

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.