From 40616dd2a89dd757a21a340b44956d32bf889ec5 Mon Sep 17 00:00:00 2001
From: Eduard Voiculescu <eduardvoiculescu95@gmail.com>
Date: Wed, 11 Feb 2026 12:33:47 -0500
Subject: [PATCH] Pin all versions of any uses: in the sast,
 test-claudecode.yaml and action.yaml files

Instead of using @Version, pin all github actions uses to a specific commit hash. This makes is that much harder for a supply chain attack to occur.
---
 .github/workflows/sast.yml            |  8 +--
 .github/workflows/test-claudecode.yml | 82 +++++++++++++--------------
 action.yml                            | 10 ++--
 3 files changed, 50 insertions(+), 50 deletions(-)

diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml
index 8a5dce6..ea7b0b0 100644
--- a/.github/workflows/sast.yml
+++ b/.github/workflows/sast.yml
@@ -14,12 +14,12 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
-      
-      - uses: ./  # Points directly to action.yml
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 pinned to commit hash
+
+      - uses: ./ # Points directly to action.yml
         with:
           comment-pr: true
           upload-results: true
           exclude-directories: "tests/vulnerable"
           claude-api-key: ${{ secrets.CLAUDE_API_KEY }}
-          run-every-commit: true
\ No newline at end of file
+          run-every-commit: true
diff --git a/.github/workflows/test-claudecode.yml b/.github/workflows/test-claudecode.yml
index 49adc66..803124a 100644
--- a/.github/workflows/test-claudecode.yml
+++ b/.github/workflows/test-claudecode.yml
@@ -16,45 +16,45 @@ permissions:
 jobs:
   test-claudecode:
     runs-on: ubuntu-latest
-    
+
     steps:
-    - uses: actions/checkout@v4
-    
-    - name: Set up Python
-      uses: actions/setup-python@v4
-      with:
-        python-version: '3.10'
-    
-    - name: Set up Node.js
-      uses: actions/setup-node@v4
-      with:
-        node-version: '20'
-    
-    - name: Install Claude CLI
-      run: |
-        npm install -g @anthropic-ai/claude-code
-    
-    - name: Install dependencies
-      run: |
-        pip install pytest pytest-cov
-        pip install -r claudecode/requirements.txt
-    
-    - name: Run ClaudeCode unit tests
-      run: |
-        export PYTHONPATH="${PYTHONPATH}:${PWD}"
-        pytest claudecode -v --cov=claudecode --cov-report=term-missing
-    
-    - name: Install Bun
-      uses: oven-sh/setup-bun@v2
-      with:
-        bun-version: latest
-    
-    - name: Install script dependencies
-      run: |
-        cd scripts
-        bun install
-    
-    - name: Run comment script tests
-      run: |
-        cd scripts
-        bun test
\ No newline at end of file
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 pinned to commit hash
+
+      - name: Set up Python
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1 pinned to commit hash
+        with:
+          python-version: "3.10"
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 pinned to commit hash
+        with:
+          node-version: "20"
+
+      - name: Install Claude CLI
+        run: |
+          npm install -g @anthropic-ai/claude-code
+
+      - name: Install dependencies
+        run: |
+          pip install pytest pytest-cov
+          pip install -r claudecode/requirements.txt
+
+      - name: Run ClaudeCode unit tests
+        run: |
+          export PYTHONPATH="${PYTHONPATH}:${PWD}"
+          pytest claudecode -v --cov=claudecode --cov-report=term-missing
+
+      - name: Install Bun
+        uses: oven-sh/setup-bun@b7a1c7ccf290d58743029c4f6903da283811b979 # v2.1.0 pinned to commit hash
+        with:
+          bun-version: latest
+
+      - name: Install script dependencies
+        run: |
+          cd scripts
+          bun install
+
+      - name: Run comment script tests
+        run: |
+          cd scripts
+          bun test
diff --git a/action.yml b/action.yml
index d82e67e..0e10e6a 100644
--- a/action.yml
+++ b/action.yml
@@ -69,14 +69,14 @@ runs:
         echo "::endgroup::"
     
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 pinned to commit hash
       with:
         python-version: '3.x'
     
     - name: Check ClaudeCode run history
       id: claudecode-history
       if: github.event_name == 'pull_request'
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 pinned to commit hash
       with:
         path: .claudecode-marker
         key: claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number }}-${{ github.sha }}
@@ -149,14 +149,14 @@ runs:
     
     - name: Save ClaudeCode reservation to cache
       if: steps.claudecode-check.outputs.enable_claudecode == 'true' && github.event_name == 'pull_request'
-      uses: actions/cache/save@v4
+      uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0 pinned to commit hash
       with:
         path: .claudecode-marker
         key: claudecode-${{ github.repository_id }}-pr-${{ github.event.pull_request.number }}-${{ github.sha }}
     
     - name: Set up Node.js
       if: steps.claudecode-check.outputs.enable_claudecode == 'true'
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 pinned to commit hash
       with:
         node-version: '18'
     
@@ -307,7 +307,7 @@ runs:
     
     - name: Upload scan results
       if: always() && inputs.upload-results == 'true'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 pinned to commit hash
       with:
         name: security-review-results
         path: |