chore: pin GitHub Actions to SHA for supply chain security

jespino · ona-agent · jespino · commit 66154dc9b352 · 2025-12-15T12:14:33.000Z
Pin all external GitHub Actions to specific commit SHAs.

Changes:
- actions/checkout@v4 → pinned to SHA
- actions/github-script@v6 → pinned to SHA
- eifinger/setup-rye@v4 → pinned to SHA
- pypa/gh-action-pypi-publish@release/v1 → pinned to SHA

Co-authored-by: Ona &lt;no-reply@ona.com&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/gitpod-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install Rye
         run: |
@@ -44,7 +44,7 @@ jobs:
       id-token: write
     runs-on: ${{ github.repository == 'stainless-sdks/gitpod-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install Rye
         run: |
@@ -63,7 +63,7 @@ jobs:
       - name: Get GitHub OIDC Token
         if: github.repository == 'stainless-sdks/gitpod-python'
         id: github-oidc
-        uses: actions/github-script@v6
+        uses: actions/github-script@00f12e3e20659f42342b1c0226afda7f7c042325 # v6
         with:
           script: core.setOutput('github_token', await core.getIDToken());
 
@@ -81,7 +81,7 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/gitpod-python' && 'depot-ubuntu-24.04' || 'ubuntu-latest' }}
     if: github.event_name == 'push' || github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install Rye
         run: |
diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml
@@ -17,10 +17,10 @@ jobs:
       id-token: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Install Rye
-        uses: eifinger/setup-rye@v4
+        uses: eifinger/setup-rye@28bdec8715ffb68b232b7678986fa06acd22d4ce # v4
         with:
           version: '0.44.0'
           
@@ -31,7 +31,7 @@ jobs:
         run: rye build --clean
       
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # release/v1
         with:
           # No token needed! Trusted publishing handles authentication
           packages-dir: dist/
