From 1e4b7476f1a71ca724426d32e468304253a3bdd9 Mon Sep 17 00:00:00 2001 From: Claude Date: Thu, 9 Jul 2026 19:07:44 +0000 Subject: [PATCH] docs: fix stale action-pin version comments across security workflows devskim.yml/codeql.yml/semgrep.yml/fortify.yml labeled the actions/checkout SHA 9c091bb2... and actions/setup-python SHA ece7cb06... as v6/v7, while ci.yml/pip-audit.yml/codex.yml/claude.yml label the identical SHAs v7.0.0/v6.3.0. Verified against upstream tags (git ls-remote --tags): the checkout SHA maps to v7.0.0, the setup-python SHA maps to v6.3.0. Comment-only change, zero behavior change. --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/devskim.yml | 4 ++-- .github/workflows/fortify.yml | 2 +- .github/workflows/semgrep.yml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 08b2f175..45305a59 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,13 +41,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: fetch-depth: 0 - name: Setup Python (used for analysis runtime / import resolution) if: matrix.language == 'python' - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12' # match the project's CI target (CLAUDE.md); avoid floating 3.x diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml index 3fe65200..1b3a73d0 100644 --- a/.github/workflows/devskim.yml +++ b/.github/workflows/devskim.yml @@ -29,11 +29,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 # Optional: set up Python & install deps so DevSkim understands imports - name: Set up Python - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: "3.12" cache: "pip" diff --git a/.github/workflows/fortify.yml b/.github/workflows/fortify.yml index 4cfb606f..d87b748b 100644 --- a/.github/workflows/fortify.yml +++ b/.github/workflows/fortify.yml @@ -72,7 +72,7 @@ jobs: steps: - name: Check Out Source Code - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v6 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Run Fortify Scan # Pinned to the v3 release commit (supply-chain hardening: a floating diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 17919790..1889a538 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -32,7 +32,7 @@ jobs: fetch-depth: 0 - name: Set up Python - uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6.3.0 with: python-version: '3.12'