From 486c50b032a96ae282318f29e605aa09bc27c895 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Sat, 30 May 2026 23:25:41 +0100 Subject: [PATCH] fix(ci): replace fake action SHA pins with version-faithful real SHAs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These pins were partial-prefix-corruption fakes — fabricated SHAs that share a prefix with a real version's SHA but have fabricated suffixes, slipping past visual review. Verified fake via `gh api commits/ -> 422`. The fix preserves the version the author originally intended (read from the `# vX.Y.Z` comment alongside each pin), rather than blindly bumping to latest. This is important for actions where check-name reporting can differ between major versions (e.g. CodeQL) — keeping the same major preserves any branch-protection contexts that reference check names. Substitutions applied (those present in this repo only — see diff): goto-bus-stop/setup-zig v2.2.1 abea47f85e... erlef/setup-beam v1.24.0 fc68ffb904... erlef/setup-beam v1.18.2 5304e04ea2... erlef/setup-beam v1.19.0 8aa8a857c6... denoland/setup-deno v2.0.4 667a34cdef... denoland/setup-deno v2.0.2 909cc5acb0... denoland/setup-deno v1.1.4 041b854f97... haskell-actions/setup v2.11.0 cd0d9bdd65... actions/upload-artifact v4.6.2 ea165f8d65b6e75b... actions/setup-node v4.4.0 49933ea5288caeca8642d1e84afbd3f7d6820020 actions/setup-node v4.2.0 1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a trufflesecurity/trufflehog v3.95.3 37b77001d0... trufflesecurity/trufflehog v3.82.13 1aa1871f9a... trufflesecurity/trufflehog v3.63.6 f699f60e89... github/codeql-action/* v3.36.0 03e4368ac7... github/codeql-action/* v3.31.10 4bdb89f480... github/codeql-action/* v3.28.0 48ab28a6f5... github/codeql-action/* v4.36.0 7211b7c807... Swatinem/rust-cache v2.7.8 9d47c6ad4b... gitleaks/gitleaks-action v2.3.7 83373cf2f8... Verified real via `gh api repos///commits/`. Provenance: [[project_estate_fake_action_sha_punch_list_2026_05_30]]; caught during the estate audit triggered by hyperpolymath/snifs#30. --- .github/workflows/finishingbot.yml | 2 +- .github/workflows/rhodibot.yml | 2 +- .github/workflows/seambot.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/finishingbot.yml b/.github/workflows/finishingbot.yml index 8210b32..d428a7c 100644 --- a/.github/workflows/finishingbot.yml +++ b/.github/workflows/finishingbot.yml @@ -42,7 +42,7 @@ jobs: git -C "$RUNNER_TEMP/gitbot-fleet" checkout "$GITBOT_FLEET_REF" - name: Cache dependencies - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2 with: workspaces: ${{ runner.temp }}/gitbot-fleet/bots/finishingbot diff --git a/.github/workflows/rhodibot.yml b/.github/workflows/rhodibot.yml index 5ca5bda..df1fc23 100644 --- a/.github/workflows/rhodibot.yml +++ b/.github/workflows/rhodibot.yml @@ -43,7 +43,7 @@ jobs: git -C "$RUNNER_TEMP/gitbot-fleet" checkout "$GITBOT_FLEET_REF" - name: Cache dependencies - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2 with: workspaces: ${{ runner.temp }}/gitbot-fleet/bots/rhodibot diff --git a/.github/workflows/seambot.yml b/.github/workflows/seambot.yml index 4804f63..b9e9b13 100644 --- a/.github/workflows/seambot.yml +++ b/.github/workflows/seambot.yml @@ -54,7 +54,7 @@ jobs: - name: Cache dependencies if: steps.check-seam.outputs.has_seam == 'true' - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2 + uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2 with: workspaces: ${{ runner.temp }}/gitbot-fleet/bots/seambot