From dfd68dbc0c582757df6e9d37763bd5cd31b0a28e Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 30 May 2026 19:30:14 +0100 Subject: [PATCH] fix(ci): replace fake action SHA pins with version-faithful real SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These pins were partial-prefix-corruption fakes — fabricated SHAs that share a prefix with a real version's SHA but have fabricated suffixes, slipping past visual review. Verified fake via `gh api commits/ -> 422`. The fix preserves the version the author originally intended (read from the `# vX.Y.Z` comment alongside each pin), rather than blindly bumping to latest. This is important for actions where check-name reporting can differ between major versions (e.g. CodeQL) — keeping the same major preserves any branch-protection contexts that reference check names. Substitutions applied (those present in this repo only — see diff): goto-bus-stop/setup-zig v2.2.1 abea47f85e... erlef/setup-beam v1.24.0 fc68ffb904... erlef/setup-beam v1.18.2 5304e04ea2... erlef/setup-beam v1.19.0 8aa8a857c6... denoland/setup-deno v2.0.4 667a34cdef... denoland/setup-deno v2.0.2 909cc5acb0... denoland/setup-deno v1.1.4 041b854f97... haskell-actions/setup v2.11.0 cd0d9bdd65... actions/upload-artifact v4.6.2 ea165f8d65b6e75b... actions/setup-node v4.4.0 49933ea5288caeca8642d1e84afbd3f7d6820020 actions/setup-node v4.2.0 1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a trufflesecurity/trufflehog v3.95.3 37b77001d0... trufflesecurity/trufflehog v3.82.13 1aa1871f9a... trufflesecurity/trufflehog v3.63.6 f699f60e89... github/codeql-action/* v3.36.0 03e4368ac7... github/codeql-action/* v3.31.10 4bdb89f480... github/codeql-action/* v3.28.0 48ab28a6f5... github/codeql-action/* v4.36.0 7211b7c807... Swatinem/rust-cache v2.7.8 9d47c6ad4b... gitleaks/gitleaks-action v2.3.7 83373cf2f8... Verified real via `gh api repos///commits/`. Provenance: [[project_estate_fake_action_sha_punch_list_2026_05_30]]; caught during the estate audit triggered by hyperpolymath/snifs#30. --- .github/workflows/ci.yml | 10 +++++----- .github/workflows/gleam-ci.yml | 2 +- .github/workflows/rescript-deno-ci.yml | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 647ecc1..6d75472 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -44,7 +44,7 @@ jobs: bundler-cache: true - name: Set up Deno - uses: denoland/setup-deno@61df2da039798545a278151ba52240239f604b71 # v2.0.2 + uses: denoland/setup-deno@909cc5acb0fdd60627fb858598759246509fa755 # v2.0.2 with: deno-version: v1.x @@ -111,7 +111,7 @@ jobs: bundler-cache: true - name: Set up Deno - uses: denoland/setup-deno@61df2da039798545a278151ba52240239f604b71 # v2.0.2 + uses: denoland/setup-deno@909cc5acb0fdd60627fb858598759246509fa755 # v2.0.2 with: deno-version: v1.x @@ -147,15 +147,15 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Initialize CodeQL - uses: github/codeql-action/init@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3.31.9 + uses: github/codeql-action/init@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.9 with: languages: ruby, javascript - name: Autobuild - uses: github/codeql-action/autobuild@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3.31.9 + uses: github/codeql-action/autobuild@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.9 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b2f9ef845756500b97acbdaf5c1dd4e9c1d15734 # v3.31.9 + uses: github/codeql-action/analyze@4bdb89f48054571735e3792627da6195c57459e2 # v3.31.9 rsr-validation: name: RSR Compliance Check diff --git a/.github/workflows/gleam-ci.yml b/.github/workflows/gleam-ci.yml index 0139723..bdfc149 100644 --- a/.github/workflows/gleam-ci.yml +++ b/.github/workflows/gleam-ci.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Erlang/OTP and Gleam - uses: erlef/setup-beam@53eca37a5015e5c7075c3d9b4b08705001f35835 # v1.18.2 + uses: erlef/setup-beam@5304e04ea2b355f03681464e683d92e3b2f18451 # v1.18.2 with: otp-version: '26.0' permissions: contents: read diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml index e04883f..ed9fcc7 100644 --- a/.github/workflows/rescript-deno-ci.yml +++ b/.github/workflows/rescript-deno-ci.yml @@ -9,7 +9,7 @@ jobs: permissions: contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: denoland/setup-deno@61df2da039798545a278151ba52240239f604b71 # v2.0.2 + - uses: denoland/setup-deno@909cc5acb0fdd60627fb858598759246509fa755 # v2.0.2 with: deno-version: v1.x permissions: contents: read @@ -38,7 +38,7 @@ jobs: permissions: contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: denoland/setup-deno@61df2da039798545a278151ba52240239f604b71 # v2.0.2 + - uses: denoland/setup-deno@909cc5acb0fdd60627fb858598759246509fa755 # v2.0.2 - name: Check permissions run: | # Audit for dangerous permissions