Skip to content

ci: pin non-GitHub-owned GitHub Actions#130

Merged
marten-seemann merged 1 commit into
masterfrom
ci-pin-gha
Jun 14, 2026
Merged

ci: pin non-GitHub-owned GitHub Actions#130
marten-seemann merged 1 commit into
masterfrom
ci-pin-gha

Conversation

@marten-seemann

@marten-seemann marten-seemann commented Jun 14, 2026

Copy link
Copy Markdown
Member

Pin third-party GitHub Actions to specific commit SHAs in deploy workflow

Replaces floating major version tags (v3, v4) for peaceiris/actions-hugo and peaceiris/actions-gh-pages with pinned commit SHAs in deploy.yml. The pinned versions correspond to v3.2.1 and v4.1.0 respectively, noted in inline comments.

Macroscope summarized e79e398.

Copilot AI review requested due to automatic review settings June 14, 2026 07:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the deployment workflow by pinning third-party GitHub Actions to immutable commit SHAs, reducing supply-chain risk from moving tags.

Changes:

  • Pin peaceiris/actions-hugo to a specific commit SHA (annotated with v3.2.1).
  • Pin peaceiris/actions-gh-pages to a specific commit SHA (annotated with v4.1.0).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@marten-seemann marten-seemann merged commit 5d3f2a5 into master Jun 14, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants