[SEC-7924] chore: pin third-party GitHub Actions to commit SHAs

pkaeding · pkaeding · commit 459671129648 · 2026-03-23T21:46:37.000-04:00
Pin all third-party GitHub Actions to full-length commit SHAs to prevent
supply chain attacks. Addresses findings from the
third-party-action-not-pinned-to-commit-sha Semgrep rule.
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -12,7 +12,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: ruby/setup-ruby@v1
+    - uses: ruby/setup-ruby@319994f95fa847cf3fb3cd3dbe89f6dcde9f178f # v1
       with:
         ruby-version: ${{ inputs.version }}
         bundler: 2
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -18,7 +18,7 @@ jobs:
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
 
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4
         id: release
 
   build-ruby-gem:
@@ -81,7 +81,7 @@ jobs:
       id-token: write
       contents: write
 
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
     with:
       base64-subjects: "${{ needs.publish.outputs.gem-hash }}"
       upload-assets: true
