From 498a342be9b6d1310d54d1dc745d697db6263e5b Mon Sep 17 00:00:00 2001 From: minagishl Date: Mon, 29 Jun 2026 11:26:32 +0900 Subject: [PATCH] ci: pin third-party Actions in bench workflow to commit SHAs Replace mutable refs for pnpm/action-setup, actions/setup-node, and dtolnay/rust-toolchain with immutable commit pins to close the supply-chain hygiene gap reported in #2. --- .github/workflows/bench.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index cc21849..73a14c3 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -64,12 +64,12 @@ jobs: persist-credentials: false - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4 with: version: 10.18.1 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 cache: pnpm @@ -78,7 +78,7 @@ jobs: workspace/benchmark/pnpm-lock.yaml - name: Setup Rust - uses: dtolnay/rust-toolchain@stable + uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable - name: Install wasm-pack uses: jetli/wasm-pack-action@0d096b08b4e5a7de8c28de67e11e945404e9eefa # v0.4.0