From a0ddf14fda2c73f1a6c96c372308867debe97802 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 22:58:13 +0100 Subject: [PATCH 1/2] build: SHA-pin GitHub Actions for supply-chain security Pin external action references to exact commit SHAs instead of branch or major-version tags to prevent supply-chain attacks. Signed-off-by: jimisola --- .github/workflows/check-semantic-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index 5bacd57..dfb02a0 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -7,4 +7,4 @@ on: jobs: check: - uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@main + uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07 From 8099360a837a043138e1d2ae2006d930dad7c714 Mon Sep 17 00:00:00 2001 From: Jimisola Laursen Date: Sat, 7 Mar 2026 23:45:03 +0100 Subject: [PATCH 2/2] ci: potential fix for code scanning alert no. 10: Workflow does not contain permissions Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Jimisola Laursen --- .github/workflows/check-semantic-pr.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/check-semantic-pr.yml b/.github/workflows/check-semantic-pr.yml index dfb02a0..968e327 100644 --- a/.github/workflows/check-semantic-pr.yml +++ b/.github/workflows/check-semantic-pr.yml @@ -5,6 +5,9 @@ on: pull_request_target: types: [opened, edited, synchronize, reopened] +permissions: + contents: read + jobs: check: uses: reqstool/.github/.github/workflows/check-semantic-pr.yml@33502e31f66fb7e982f48f50e3c6c29b0410a017 # main 2026-03-07