feat(sec): harden GHA ref by using its SHA ID to prevent accidental usage of compromised actions (#38782)

Signed-off-by: hainenber <dotronghai96@gmail.com> (cherry picked from commit 83823911b5)
2026-05-10 10:25:51 +00:00 · 2026-03-21 21:27:30 +07:00
parent c26d2de616
commit 493f6c0aed
40 changed files with 133 additions and 133 deletions
--- a/.github/workflows/no-hold-label.yml
+++ b/.github/workflows/no-hold-label.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
    - name: Check for 'hold' label
-      uses: actions/github-script@v8
+      uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
      with:
        github-token: ${{secrets.GITHUB_TOKEN}}
        script: |