[Supply-chain] Pin meta Gitea workflow actions to immutable revisions #2

Closed
opened 2026-07-11 16:02:06 +02:00 by zemion · 1 comment
Owner

Created from /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529.

Semgrep reported mutable action tags in:

  • .gitea/workflows/dependency-audit.yml
  • .gitea/workflows/module-matrix.yml
  • .gitea/workflows/release-integration.yml
  • .gitea/workflows/security-audit-toolbox-update.yml
  • .gitea/workflows/security-audit.yml

Acceptance criteria:

  • Replace mutable action tags with immutable commit SHAs.
  • Keep the workflow YAML parseable.
Created from `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260711-1529`. Semgrep reported mutable action tags in: - `.gitea/workflows/dependency-audit.yml` - `.gitea/workflows/module-matrix.yml` - `.gitea/workflows/release-integration.yml` - `.gitea/workflows/security-audit-toolbox-update.yml` - `.gitea/workflows/security-audit.yml` Acceptance criteria: - Replace mutable action tags with immutable commit SHAs. - Keep the workflow YAML parseable.
Author
Owner

Codex State: done

Summary

  • Pinned all actions/checkout, actions/setup-python, actions/setup-node, and actions/upload-artifact references in the meta workflows to the current immutable SHAs.
  • Verified the workflow YAML files parse with Python yaml.safe_load.

Changed Files

  • .gitea/workflows/dependency-audit.yml
  • .gitea/workflows/module-matrix.yml
  • .gitea/workflows/release-integration.yml
  • .gitea/workflows/security-audit-toolbox-update.yml
  • .gitea/workflows/security-audit.yml

Verification

  • rg -n "uses: actions/.+@v[0-9]" .gitea/workflows || true returned no matches.
  • YAML parse check passed for all five workflow files.

The fix is local and ready to push with the meta repository changes.

## Codex State: done ### Summary - Pinned all `actions/checkout`, `actions/setup-python`, `actions/setup-node`, and `actions/upload-artifact` references in the meta workflows to the current immutable SHAs. - Verified the workflow YAML files parse with Python `yaml.safe_load`. ### Changed Files - `.gitea/workflows/dependency-audit.yml` - `.gitea/workflows/module-matrix.yml` - `.gitea/workflows/release-integration.yml` - `.gitea/workflows/security-audit-toolbox-update.yml` - `.gitea/workflows/security-audit.yml` ### Verification - `rg -n "uses: actions/.+@v[0-9]" .gitea/workflows || true` returned no matches. - YAML parse check passed for all five workflow files. The fix is local and ready to push with the meta repository changes.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan#2
No description provided.