Skip to content

Fix GitHub Actions not pinned by hash #178917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guidezpl merged 3 commits into from
Nov 28, 2025
Merged

Fix GitHub Actions not pinned by hash #178917

guidezpl merged 3 commits into from
Nov 28, 2025
+5 −5

Conversation

@step-security-bot
Copy link
Contributor

@step-security-bot step-security-bot commented Nov 21, 2025
edited by guidezpl
Loading

Use explicit pinned dependencies per:

This pull request is created by StepSecurity at the request of @guidezpl. Please merge the Pull Request to incorporate the requested changes.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Nov 21, 2025

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@guidezpl
Copy link
Member

guidezpl commented Nov 21, 2025

Confirming I requested this

@guidezpl guidezpl requested a review from jtmcdole November 21, 2025 11:25
@guidezpl guidezpl requested a review from zanderso November 28, 2025 08:55
@guidezpl guidezpl added this pull request to the merge queue Nov 28, 2025
Merged via the queue into flutter:master with commit d53693f Nov 28, 2025
6 checks passed
@jtmcdole
Copy link
Member

jtmcdole commented Nov 28, 2025

According to internal OSS policy; "actions/" is owned by GitHub and trusted with tagged versions. This is one place where scorecard is more conservative.

engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Nov 29, 2025
@engine-flutter-autoroll
d53693fb5 Fix GitHub Actions not pinned by hash (flutter/flutter#178917)
97d2dfb
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Nov 29, 2025
Closed
engine-flutter-autoroll added a commit to engine-flutter-autoroll/packages that referenced this pull request Nov 29, 2025
@engine-flutter-autoroll
d53693fb5 Fix GitHub Actions not pinned by hash (flutter/flutter#178917)
8ca1dfd
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Nov 29, 2025
Merged
auto-submit bot pushed a commit to flutter/packages that referenced this pull request Nov 29, 2025
@engine-flutter-autoroll
Roll Flutter from 022b155d1b76 to 2b5fa9462ce9 (14 revisions) (#10535)
b6e7d59 
flutter/flutter@022b155...2b5fa94

2025-11-29 [email protected] Roll Fuchsia Linux SDK from 3mkBM9XuntkUl3G9l... to sY2ExxZc0A8bgMF11... (flutter/flutter#179233)
2025-11-29 [email protected] Roll Dart SDK from 09b91afe9f4d to 56cc05dd11a8 (1 revision) (flutter/flutter#179231)
2025-11-28 [email protected] [ Tool ] Don't try to reattach when attach target disappears (flutter/flutter#179193)
2025-11-28 [email protected] Roll Dart SDK from 4bd803e19d22 to 09b91afe9f4d (1 revision) (flutter/flutter#179222)
2025-11-28 [email protected] Fix GitHub Actions not pinned by hash (flutter/flutter#178917)
2025-11-28 [email protected] Update workflow permissions in easy-cp.yml (flutter/flutter#178919)
2025-11-28 [email protected] Roll Packages from b505d41 to c8be05d (1 revision) (flutter/flutter#179218)
2025-11-28 [email protected] Roll Dart SDK from 394606994711 to 4bd803e19d22 (1 revision) (flutter/flutter#179215)
2025-11-28 [email protected] Roll Dart SDK from 74247cdd0f18 to 394606994711 (1 revision) (flutter/flutter#179205)
2025-11-28 [email protected] Roll Fuchsia Linux SDK from _e9MNK4nfBOrERVP_... to 3mkBM9XuntkUl3G9l... (flutter/flutter#179203)
2025-11-28 [email protected] Roll Dart SDK from 1e6edf8a8dab to 74247cdd0f18 (2 revisions) (flutter/flutter#179201)
2025-11-27 [email protected] [ Widget Preview ] Handle changes to unexpected pubspec.yaml files gracefully (flutter/flutter#179157)
2025-11-27 [email protected] Roll Dart SDK from 1d8dc04bd1d7 to 1e6edf8a8dab (9 revisions) (flutter/flutter#179190)
2025-11-27 [email protected] Roll Packages from 5d8d954 to b505d41 (4 revisions) (flutter/flutter#179188)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-packages
Please CC [email protected],[email protected] on the revert to ensure that a human
is aware of the problem.

To file a bug in Packages: https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
jtmcdole
jtmcdole reviewed Dec 2, 2025
View reviewed changes
Copy link
Member

@jtmcdole jtmcdole left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be safe since we allow all actions/checkout: actions/checkout@*,

![printer2](

Warning

This asset could not be copied from your saved reply. Please try again later.

)

mboetger pushed a commit to mboetger/flutter that referenced this pull request Dec 2, 2025
@step-security-bot @guidezpl
@zanderso @mboetger
Fix GitHub Actions not pinned by hash (flutter#178917)
4c39f12 
Use explicit pinned dependencies per:
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@guidezpl. Please merge the Pull Request to incorporate the requested
changes.

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Pierre-Louis <[email protected]>
Co-authored-by: Zachary Anderson <[email protected]>
reidbaker pushed a commit to AbdeMohlbi/flutter that referenced this pull request Dec 10, 2025
@step-security-bot @guidezpl
@zanderso @reidbaker
Fix GitHub Actions not pinned by hash (flutter#178917)
2a4c76d 
Use explicit pinned dependencies per:
- [The Open Source Security Foundation (OpenSSF) Security
Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies)

This pull request is created by
[StepSecurity](https://app.stepsecurity.io/securerepo) at the request of
@guidezpl. Please merge the Pull Request to incorporate the requested
changes.

Signed-off-by: StepSecurity Bot <[email protected]>
Co-authored-by: Pierre-Louis <[email protected]>
Co-authored-by: Zachary Anderson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jtmcdole jtmcdole jtmcdole left review comments

@zanderso zanderso zanderso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@step-security-bot @guidezpl @jtmcdole @zanderso