[llvm] [Github] Hash Pin Actions in Most Workflows (PR #129486)
Carlo Cabrera via llvm-commits
llvm-commits at lists.llvm.org
Sun Mar 16 21:22:31 PDT 2025
================
@@ -60,12 +60,12 @@ jobs:
# a local checkout beforehand.
- name: Fetch LLVM sources (Push)
if: ${{ github.event_name == 'push' }}
- uses: actions/checkout at v4
+ uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 1
- name: Get subprojects that have doc changes
id: docs-changed-subprojects
- uses: tj-actions/changed-files at v39
+ uses: tj-actions/changed-files at fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4
----------------
carlocab wrote:
This was good timing: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised
May still be worth an audit regardless. CC @tstellar
https://github.com/llvm/llvm-project/pull/129486
More information about the llvm-commits
mailing list