From 46f37ae4fbd73b440da50f7be068aadb2478f87d Mon Sep 17 00:00:00 2001 From: Andriy Kalashnykov Date: Sun, 29 Mar 2026 17:16:56 -0400 Subject: [PATCH] chore: pin actions to commit SHAs and add Skills section to CLAUDE.md Pin all GitHub Actions to commit SHAs instead of mutable version tags across ci.yml, release.yml, maintenance.yml, and all reusable workflows. This prevents supply-chain attacks via tag hijacking. Add the required Skills section to CLAUDE.md mapping project files (README.md, .github/workflows/*.yml) to their respective review skills. --- .github/workflows/ci.yml | 26 ++++++++++++------------- .github/workflows/maintenance.yml | 10 +++++----- .github/workflows/release.yml | 2 +- .github/workflows/reusable-release.yml | 2 +- .github/workflows/reusable-test.yml | 14 ++++++------- .github/workflows/reusable-validate.yml | 4 ++-- CLAUDE.md | 11 +++++++++++ 7 files changed, 40 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e82760b1..557b5c92 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,10 +34,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js ${{ matrix.node }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} @@ -68,7 +68,7 @@ jobs: - name: Cache npm if: matrix.pm == 'npm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.npm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-npm-${{ hashFiles('**/package-lock.json') }} @@ -83,7 +83,7 @@ jobs: - name: Cache pnpm if: matrix.pm == 'pnpm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.pnpm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -104,7 +104,7 @@ jobs: - name: Cache yarn if: matrix.pm == 'yarn' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-yarn-${{ hashFiles('**/yarn.lock') }} @@ -113,7 +113,7 @@ jobs: - name: Cache bun if: matrix.pm == 'bun' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }} @@ -146,7 +146,7 @@ jobs: # Upload test artifacts on failure - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ matrix.os }}-node${{ matrix.node }}-${{ matrix.pm }} path: | @@ -160,10 +160,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' @@ -205,10 +205,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' @@ -223,10 +223,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index 5d300847..7ad26213 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -15,8 +15,8 @@ jobs: name: Check Dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' - name: Check for outdated packages @@ -26,8 +26,8 @@ jobs: name: Security Audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' - name: Run security audit @@ -43,7 +43,7 @@ jobs: name: Stale Issues/PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: stale-issue-message: 'This issue is stale due to inactivity.' stale-pr-message: 'This PR is stale due to inactivity.' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 524880a7..a31c08b5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index c5df4136..01cd4fe2 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 2f362e2d..1446c579 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.node-version }} @@ -59,7 +59,7 @@ jobs: - name: Cache npm if: inputs.package-manager == 'npm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.npm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-npm-${{ hashFiles('**/package-lock.json') }} @@ -74,7 +74,7 @@ jobs: - name: Cache pnpm if: inputs.package-manager == 'pnpm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.pnpm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -95,7 +95,7 @@ jobs: - name: Cache yarn if: inputs.package-manager == 'yarn' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-yarn-${{ hashFiles('**/yarn.lock') }} @@ -104,7 +104,7 @@ jobs: - name: Cache bun if: inputs.package-manager == 'bun' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }} @@ -134,7 +134,7 @@ jobs: - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ inputs.os }}-node${{ inputs.node-version }}-${{ inputs.package-manager }} path: | diff --git a/.github/workflows/reusable-validate.yml b/.github/workflows/reusable-validate.yml index 0aa14640..6612b683 100644 --- a/.github/workflows/reusable-validate.yml +++ b/.github/workflows/reusable-validate.yml @@ -17,10 +17,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.node-version }} diff --git a/CLAUDE.md b/CLAUDE.md index 10064cc6..a3053d7f 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -59,3 +59,14 @@ Follow the formats in CONTRIBUTING.md: - Hooks: JSON with matcher and hooks array File naming: lowercase with hyphens (e.g., `python-reviewer.md`, `tdd-workflow.md`) + +## Skills + +Use the following skills when working on related files: + +| File(s) | Skill | +|---------|-------| +| `README.md` | `/readme` | +| `.github/workflows/*.yml` | `/ci-workflow` | + +When spawning subagents, always pass conventions from the respective skill into the agent's prompt.