Skip to content

ci: pin actions to full commit SHAs in claude.yml#1712

Open
XananasX7 wants to merge 1 commit into
anthropics:mainfrom
XananasX7:ci/pin-claude-workflow-actions
Open

ci: pin actions to full commit SHAs in claude.yml#1712
XananasX7 wants to merge 1 commit into
anthropics:mainfrom
XananasX7:ci/pin-claude-workflow-actions

Conversation

@XananasX7

Copy link
Copy Markdown

Summary

Pins actions/checkout and anthropics/claude-code-action in the Claude workflow to immutable full commit SHAs.

Vulnerability

Using mutable version tags (@v4, @v1) creates a supply-chain risk — if either action repository is compromised, an attacker could push malicious code under the same tag that would silently run in CI with access to secrets.ANTHROPIC_API_KEY and write permissions on contents, pull-requests, and issues.

The Claude workflow is particularly sensitive because it has broad permissions:

permissions:
  contents: write
  pull-requests: write
  issues: write
  id-token: write

Fix

Action Before After
actions/checkout @v4 @34e1148 (v4)
anthropics/claude-code-action @v1 @a92e7c7 (v1)

Both pins point to the exact same code as the current tags. Behaviour is unchanged.

References

@XananasX7 XananasX7 requested a review from a team as a code owner June 28, 2026 01:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant