Skip to content

ci: Pin third-party GitHub Actions to commit SHAs#5

Closed
n8n-cat-bot[bot] wants to merge 1 commit into
masterfrom
cat-bot/run-27350592854
Closed

ci: Pin third-party GitHub Actions to commit SHAs#5
n8n-cat-bot[bot] wants to merge 1 commit into
masterfrom
cat-bot/run-27350592854

Conversation

@n8n-cat-bot

@n8n-cat-bot n8n-cat-bot Bot commented Jun 11, 2026

Copy link
Copy Markdown

Summary

Pins the only third-party GitHub Action used in .github/workflows/node-test.yml to a full commit SHA, with a trailing comment preserving the original version reference. Actions owned by the actions/ and github/ orgs are left as version tags per the task scope.

Changes

  • pnpm/action-setup@v2pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2

The SHA eae0cfeb286e66ffb5155f1a79b90583a127a68b is the current tip of the v2 branch in pnpm/action-setup (resolved via the GitHub API). Note that v2 is a moving major-version branch in that repo (no immutable v2 tag exists), which is exactly why pinning it to a commit SHA is the recommended supply-chain hardening — the trailing # v2 comment keeps the original intent readable for future bumps.

Left unchanged (first-party, per task scope):

  • actions/checkout@v3
  • actions/setup-node@v3

Review checklist

  • Diff is mechanical — one line changed, no behavioural impact
  • Trailing # v2 comment preserves the original version tag for traceability
  • First-party actions/* steps untouched per task scope

Not verified

  • The workflow was not executed in this environment; the change is a pure string substitution in the uses: reference and CI will exercise it on the resulting PR.

🐱 Opened by cat-bot. Review the changes; close if the approach is wrong.


Summary by cubic

Pin pnpm/action-setup in .github/workflows/node-test.yml to a specific commit SHA to prevent version drift and harden CI supply chain. Kept a trailing # v2 comment for readability; actions/checkout@v3 and actions/setup-node@v3 remain unchanged.

Written for commit 729c96c. Summary will update on new commits.

Review in cubic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant