From 30f9c97fe822748fa96e05682b3580ef6d959bac Mon Sep 17 00:00:00 2001 From: Do Anh Duy Date: Wed, 13 May 2026 11:10:38 +0700 Subject: [PATCH] chore(ci): pin third-party actions to commit SHA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - astral-sh/setup-uv: upgrade v5 → v8.1.0, pin to commit SHA. The setup-uv README demonstrates SHA-pinned usage in all examples. - python-semantic-release: bump v10.5.2 → v10.5.3, pin to commit SHA. GitHub-owned actions/* (checkout, cache) kept on version tags — pragmatic stance matching trobz/odoo-modules convention. Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions --- .github/workflows/pre-commit.yaml | 2 +- .github/workflows/release.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml index cb6c59e..47a6045 100644 --- a/.github/workflows/pre-commit.yaml +++ b/.github/workflows/pre-commit.yaml @@ -23,7 +23,7 @@ jobs: key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }} - name: Setup uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 with: enable-cache: true diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c72c942..7c6e720 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -16,7 +16,7 @@ jobs: uses: actions/checkout@v6 - name: Semantic Version Release - uses: python-semantic-release/python-semantic-release@v10.5.2 + uses: python-semantic-release/python-semantic-release@350c48fcb3ffcdfd2e0a235206bc2ecea6b69df0 # v10.5.3 with: github_token: ${{ secrets.GITHUB_TOKEN }} git_committer_name: "github-actions"