mirror of
https://github.com/aaddrick/claude-desktop-debian.git
synced 2026-05-17 08:36:35 +03:00
4cc63bff7a
Replaces mutable tag refs (e.g. @v4) with full commit SHAs across all workflows, with the version retained as a trailing comment for readability and dependabot compatibility. Motivation: the March 2026 trivy-action supply-chain attack poisoned 75 of 76 version tags in a single repo. Any consumer using @vX-style references ran the compromised code automatically. SHA pinning makes that class of attack a no-op for us — a hijacked tag cannot point at new code without the SHA also changing. Pinned actions: actions/checkout@v4, actions/upload-artifact@v4, actions/download-artifact@v4, actions/setup-python@v5, actions/setup-node@v4, actions/github-script@v7, softprops/action-gh-release@v2, crazy-max/ghaction-import-gpg@v6, codespell-project/codespell-problem-matcher@v1, codespell-project/actions-codespell@v2, cloudflare/wrangler-action@v3, DeterminateSystems/nix-installer-action@v21 Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Claude <claude@anthropic.com>