chore: pin third-party GitHub Actions to commit SHAs (#59)

pkaeding · web-flow · commit c4607088204b · 2026-03-23T10:47:58.000-07:00
## Summary Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the [`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml) Semgrep rule. ## Test plan - [ ] Verify CI passes with pinned action SHAs  --- > [!NOTE] > **Low Risk** > Low risk: workflow-only changes that pin action references; main risk is CI/release breakage if a pinned SHA is incorrect or later removed upstream. > > **Overview** > Pins previously tag-based third-party GitHub Actions in `manual-publish.yml` and `release-please.yml` to specific commit SHAs (notably `release-please-action` and `gh-action-pypi-publish`) to reduce GitHub Actions supply-chain risk. > > Adds inline version comments for the pinned actions; no functional build/release logic changes beyond the pinned references. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e4ae025. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -22,7 +22,7 @@ jobs:
           python-version: 3.9
 
       - name: Install poetry
-        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0
 
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: "Get PyPI token"
@@ -34,6 +34,6 @@ jobs:
 
       - name: Publish package distributions to PyPI
         if: ${{ inputs.dry_run == false }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -13,7 +13,7 @@ jobs:
       contents: write # Contents and pull-requests are for release-please to make releases.
       pull-requests: write
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
 
       - uses: actions/checkout@v4
@@ -28,7 +28,7 @@ jobs:
 
       - name: Install poetry
         if: ${{ steps.release.outputs.releases_created == 'true' }}
-        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439
+        uses: abatilo/actions-poetry@7b6d33e44b4f08d7021a1dee3c044e9c253d6439 # v3.0.0
 
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: "Get PyPI token"
@@ -45,6 +45,6 @@ jobs:
 
       - name: Publish package distributions to PyPI
         if: ${{ steps.release.outputs.releases_created == 'true' }}
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
