From 939a5b918c3a49da9131210e59a4a121015fa9d1 Mon Sep 17 00:00:00 2001 From: veilor-org Date: Wed, 6 May 2026 10:41:19 +0100 Subject: [PATCH] ci: TODO marker for SHA-pinning third-party actions Note that all `uses:` directives still resolve to mutable major- version tags. SHA-pinning is the Agent 8 audit recommendation but requires per-action web lookups that stalled the previous SRE attempt; tracked separately so this PR can land first. --- .github/workflows/build-iso.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-iso.yml b/.github/workflows/build-iso.yml index 46ac1fa..fca0ad5 100644 --- a/.github/workflows/build-iso.yml +++ b/.github/workflows/build-iso.yml @@ -1,3 +1,5 @@ +# TODO: SHA-pin all uses: tags to commit SHAs (Agent 8 audit recommendation). +# Tracked separately so this PR can land without long web lookups. name: Build veilor-os ISO on: