Summary

19 CodeQL actions/unpinned-tag alerts in ci.yml and release.yml. All GitHub Actions are referenced by mutable version tags (e.g. @v4) instead of immutable commit SHAs, which exposes the pipeline to supply chain attacks if an action tag is force-pushed.

Affected files and lines

.github/workflows/ci.yml: lines 160, 161, 162, 169, 192, 194, 204, 232, 233, 236, 259

.github/workflows/release.yml: lines 110, 120, 123, 143, 176, 177, 178, 183, 192

Fix

Replace each uses: owner/action@vX with uses: owner/action@<full-sha> # vX using the current SHA for that tag. Use gh api or the action's release page to resolve each SHA.

Example:

# before
- uses: actions/checkout@v4
# after
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

CodeQL alert IDs: #252–#270