[llvm] [Github] Hash Pin Actions in Most Workflows (PR #129486)

Carlo Cabrera via llvm-commits llvm-commits at lists.llvm.org
Sun Mar 16 21:22:31 PDT 2025


================
@@ -60,12 +60,12 @@ jobs:
       # a local checkout beforehand.
       - name: Fetch LLVM sources (Push)
         if: ${{ github.event_name == 'push' }}
-        uses: actions/checkout at v4
+        uses: actions/checkout at 11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
       - name: Get subprojects that have doc changes
         id: docs-changed-subprojects
-        uses: tj-actions/changed-files at v39
+        uses: tj-actions/changed-files at fea790cb660e33aef4bdf07304e28fedd77dfa13 # v39.2.4
----------------
carlocab wrote:

This was good timing: https://www.stepsecurity.io/blog/harden-runner-detection-tj-actions-changed-files-action-is-compromised

May still be worth an audit regardless. CC @tstellar

https://github.com/llvm/llvm-project/pull/129486


More information about the llvm-commits mailing list