Background
AI reviewers (CodeRabbit, cubic) and zizmor SAST flagged the GitHub Actions in .github/workflows/ci.yml as using mutable version tags (@v4, @v2) rather than pinned commit SHAs, and noted the checkout step does not set persist-credentials: false. Surfaced on PR #38.
These are valid supply-chain hardening concerns (a compromised action maintainer can retarget a tag to malicious code; persisted credentials widen token exposure).
Why a separate issue
PR #38 only adds the link-check job. The flagged refs (actions/checkout@v4, jdx/mise-action@v2) appear identically across all jobs in ci.yml (test, build, lint, link-check) plus codecov/codecov-action@v5 — 8+ references total. Pinning only the 2 lines added by PR #38 would leave the workflow half-pinned and inconsistently hardened, giving a false sense of security. The correct fix is a dedicated, repo-wide pass.
Scope
References
Background
AI reviewers (CodeRabbit, cubic) and zizmor SAST flagged the GitHub Actions in
.github/workflows/ci.ymlas using mutable version tags (@v4,@v2) rather than pinned commit SHAs, and noted the checkout step does not setpersist-credentials: false. Surfaced on PR #38.These are valid supply-chain hardening concerns (a compromised action maintainer can retarget a tag to malicious code; persisted credentials widen token exposure).
Why a separate issue
PR #38 only adds the
link-checkjob. The flagged refs (actions/checkout@v4,jdx/mise-action@v2) appear identically across all jobs inci.yml(test,build,lint,link-check) pluscodecov/codecov-action@v5— 8+ references total. Pinning only the 2 lines added by PR #38 would leave the workflow half-pinned and inconsistently hardened, giving a false sense of security. The correct fix is a dedicated, repo-wide pass.Scope
.github/workflows/*.ymlto a full commit SHA (with a trailing# vX.Y.Zcomment)persist-credentials: falseto everyactions/checkoutstep that does not need to pushgithub-actionsto keep pinned SHAs currentReferences
unpinned-uses,artipacked