From c42af80b6a79873534dadf71b645ec6bc9e889a9 Mon Sep 17 00:00:00 2001 From: tokict Date: Tue, 24 Mar 2026 21:11:46 +0200 Subject: [PATCH] fix: pin third-party actions to SHA to prevent supply chain attacks --- .github/workflows/nix-emulator.yaml | 4 ++-- .github/workflows/stack-cloud.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/nix-emulator.yaml b/.github/workflows/nix-emulator.yaml index c43a5c1..3dab96c 100644 --- a/.github/workflows/nix-emulator.yaml +++ b/.github/workflows/nix-emulator.yaml @@ -12,13 +12,13 @@ jobs: - name: Start PubSub Emulator run: | docker compose up --build -d pubsub-emulator - - uses: cachix/install-nix-action@v30 + - uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30 with: nix_path: nixpkgs=channel:nixos-unstable extra_nix_config: | trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= substituters = https://hydra.iohk.io https://cache.nixos.org/ - - uses: cachix/cachix-action@v15 + - uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 with: name: proda-ai-cloud-pubsub authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" diff --git a/.github/workflows/stack-cloud.yaml b/.github/workflows/stack-cloud.yaml index 5def093..50ad9ff 100644 --- a/.github/workflows/stack-cloud.yaml +++ b/.github/workflows/stack-cloud.yaml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - - uses: haskell-actions/setup@v2 + - uses: haskell-actions/setup@f9150cb1d140e9a9271700670baa38991e6fa25c # v2.10.3 with: enable-stack: true stack-no-global: true