From 4b80d06fde35718ffbd65b6279a7a1fe34f7ba20 Mon Sep 17 00:00:00 2001
From: s8n-ru <279801990+s8n-ru@users.noreply.github.com>
Date: Wed, 6 May 2026 10:32:13 +0100
Subject: [PATCH] ci(bluebuild): pin blue-build/github-action to commit SHA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace @v1 with @24d146df25adc2cf579e918efe2d9bff6adea408 (the commit
v1 currently resolves to). Tag pins on third-party actions are mutable
— a maintainer or attacker can re-point v1 at a malicious commit and
silently change what runs on every push.

Trailing comment '# v1' preserves human readability for future bumps.

Refs: 9-agent CI hardening wave (agent 8), 2026-05-05.
---
 .github/workflows/build-bluebuild.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build-bluebuild.yml b/.github/workflows/build-bluebuild.yml
index e0e49dc..951ba35 100644
--- a/.github/workflows/build-bluebuild.yml
+++ b/.github/workflows/build-bluebuild.yml
@@ -57,12 +57,12 @@ jobs:
           df -h
 
       # BlueBuild action wraps: image build, cosign sign (keyless via
-      # Sigstore), GHCR push. To pin to a commit SHA in a follow-up
-      # once the workflow shape stabilises (CI hardening agent 8,
-      # 2026-05-05 wave).
+      # Sigstore), GHCR push. Pinned to a commit SHA per CI hardening
+      # agent 8 (2026-05-05 wave). The trailing comment records the
+      # tag the SHA resolved from, so future bumps stay legible.
       - name: Build + push veilor-os OCI
         id: bluebuild
-        uses: blue-build/github-action@v1
+        uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1
         with:
           recipe: bluebuild/recipe.yml
           registry_token: ${{ secrets.GITHUB_TOKEN }}