Pin Forgejo Actions by commit SHA (#45) #58

Merged
james merged 1 commit from 45-pin-actions-sha into main 2026-06-15 12:06:56 +00:00
Owner

Closes #45.

Summary

  • Rewrote every uses: actions/...@vX.Y.Z line in .forgejo/workflows/pr.yml to uses: actions/...@<full-40-char-sha> # vX.Y.Z. Tags resolved from code.forgejo.org (the runner's default action registry):
    • actions/checkout@v6.0.39f698171ed81b15d1823a05fc7211befd50c8ae0
    • actions/setup-node@v6.4.048b55a011bda9f5d6aeb4c2d9c7362e8dae4041e
  • Documented the convention in CLAUDE.md under Working in this repo, with the mutable-tag rationale and the canonical line shape so future workflow edits stay SHA-pinned.
  • Renovate (#44) will keep the SHAs (and tag comments) fresh once that ticket lands; this PR is the one-time backfill.

Acceptance criteria

  • No uses: line in .forgejo/workflows/ references a mutable tag without a SHA pin.
  • PR pipeline still passes against the SHA-pinned actions. (CI to confirm)
  • Convention documented; rationale (mutable-tag risk) explained inline.

Test plan

  • CI green on this PR — same runner image, same actions, just frozen at the SHA we already use.
  • grep -n 'uses:' .forgejo/workflows/pr.yml shows every line ends in # vX.Y.Z.
Closes #45. ## Summary - Rewrote every `uses: actions/...@vX.Y.Z` line in `.forgejo/workflows/pr.yml` to `uses: actions/...@<full-40-char-sha> # vX.Y.Z`. Tags resolved from `code.forgejo.org` (the runner's default action registry): - `actions/checkout@v6.0.3` → `9f698171ed81b15d1823a05fc7211befd50c8ae0` - `actions/setup-node@v6.4.0` → `48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e` - Documented the convention in `CLAUDE.md` under *Working in this repo*, with the mutable-tag rationale and the canonical line shape so future workflow edits stay SHA-pinned. - Renovate (#44) will keep the SHAs (and tag comments) fresh once that ticket lands; this PR is the one-time backfill. ## Acceptance criteria - [x] No `uses:` line in `.forgejo/workflows/` references a mutable tag without a SHA pin. - [ ] PR pipeline still passes against the SHA-pinned actions. *(CI to confirm)* - [x] Convention documented; rationale (mutable-tag risk) explained inline. ## Test plan - [ ] CI green on this PR — same runner image, same actions, just frozen at the SHA we already use. - [ ] `grep -n 'uses:' .forgejo/workflows/pr.yml` shows every line ends in `# vX.Y.Z`.
Pin Forgejo Actions by commit SHA (#45)
All checks were successful
PR / OSV-Scanner (pull_request) Successful in 19s
PR / Lint (pull_request) Successful in 39s
PR / Typecheck (pull_request) Successful in 41s
PR / npm audit (pull_request) Successful in 42s
PR / Trivy (image) (pull_request) Successful in 45s
PR / Static analysis (Semgrep) (pull_request) Successful in 45s
PR / Test (sqlite) (pull_request) Successful in 52s
PR / Test (postgres) (pull_request) Successful in 53s
PR / Build (pull_request) Successful in 1m0s
428215f78f
Tags on third-party actions are mutable; pinning by SHA freezes each
action at the snapshot we reviewed. Tag kept in a trailing comment for
human readability and so Renovate (#44) can bump both fields in lockstep.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
james merged commit e8e2df123e into main 2026-06-15 12:06:56 +00:00
Sign in to join this conversation.
No description provided.