Skip to content

workflows: pin all actions to full-length commit SHA #3523

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SMillerDev merged 2 commits into from
Jan 28, 2026
Merged

workflows: pin all actions to full-length commit SHA #3523

SMillerDev merged 2 commits into from
Jan 28, 2026

Conversation

@wofferl
Copy link
Collaborator

@wofferl wofferl commented Jan 27, 2026
edited
Loading

@Grotax @SMillerDev
Because the actions failed lately, I changed this PR to also pin all unpinned actions.

The actions actions/[email protected] and actions/[email protected] are not allowed in nextcloud/news because all actions must be pinned to a full-length commit SHA.

Checklist

@wofferl wofferl added 3. to review Skip-Changelog No changelog update is required, minor change labels Jan 27, 2026
@codecov
Copy link

codecov bot commented Jan 27, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@wofferl wofferl changed the title workflows: add Skip-Changelog label to npm audit fix workflows: pin all actions to full-length commit SHA Jan 27, 2026
@wofferl wofferl force-pushed the fix_npm_audit_workflow branch from 3778821 to 5b344c0 Compare January 27, 2026 20:49
SMillerDev
SMillerDev approved these changes Jan 27, 2026
View reviewed changes
Copy link
Contributor

@SMillerDev SMillerDev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should just introduce zizmor to check for this and more issues

@wofferl
Copy link
Collaborator Author

wofferl commented Jan 28, 2026

Maybe we should just introduce zizmor to check for this and more issues

https://help.nextcloud.com/t/pinned-actions-enforced-in-nextcloud-github-org/239414

It seems that "end of the week" was earlier for us

@SMillerDev SMillerDev merged commit cef80ff into nextcloud:master Jan 28, 2026
33 of 36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SMillerDev SMillerDev SMillerDev approved these changes

Assignees

No one assigned

Labels

3. to review Skip-Changelog No changelog update is required, minor change

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wofferl @SMillerDev