Nx
Enterprise
Nx
Overview
Sign in / Sign up
Open main menu
Nx
GitHub
Select a tab
Overview
Runs
Analytics
Nx
GitHub
Overview
Runs
Analytics
Loading workspace stats
Loading workspace insights...
Statistics interval
7 days
30 days
Latest CI Pipeline Executions
Filter range
Sort by
Sort by
Start time
Sort ascending
Sort descending
Filter
Filter exact branch match
Exact
Select status
Succeeded
32657
a4ffefff chore(repo): pin GitHub Actions to commit SHAs for security GitHub Actions in workflow files use mutable references (tags/branches) which can be modified after initial use, posing a security risk. If a tag is moved to a different commit or if an action repository is compromised, workflows could execute unintended code. All GitHub Actions should be pinned to specific commit SHAs to ensure workflows always execute the exact same code that was reviewed and tested. This follows GitHub's security best practices for Actions. - .github/workflows/ci.yml - .github/workflows/e2e-matrix.yml - .github/workflows/generate-embeddings.yml - .github/workflows/issue-notifier.yml - .github/workflows/lock-threads.yml - .github/workflows/npm-audit.yml - .github/workflows/pr-title-validation.yml - .github/workflows/schedule-stale.yml Converted all action references from mutable tags/branches to immutable SHA references: **Core Actions:** - actions/checkout@v4 → actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - actions/setup-node@v4 → actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 - actions/cache@v4 → actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 - actions/upload-artifact@v4 → actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - actions/download-artifact@v4 → actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 - actions/github-script@v7.1.0 → actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b - actions/stale@v9.0.0 → actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e **Third-party Actions:** - pnpm/action-setup@v4 → pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda - nrwl/nx-set-shas@v4 → nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 - browser-actions/setup-chrome@v1 → browser-actions/setup-chrome@c785b87e244131f27c9f19c1a33e2ead956ab7ce - dtolnay/rust-toolchain@stable → dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - gradle/actions/setup-gradle@v4 → gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 - dessant/lock-threads@v4 → dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 - ravsamhq/notify-slack-action@v2 → ravsamhq/notify-slack-action@042f29088bb3bdbda5b4ff7b4818466a277fa8f7 - oven-sh/setup-bun@v1 → oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 - dawidd6/action-download-artifact@v2 → dawidd6/action-download-artifact@b7ae8e834b3579243d2b8519bafd41922491bb88 - slackapi/slack-github-action@v1.23.0 → slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 - mxschmitt/action-tmate@v3.8 → mxschmitt/action-tmate@b926bc441c90cceb124409125658bbe544a2e1dd **Previously Updated (publish.yml):** - actions-rust-lang/setup-rust-toolchain@v1 → actions-rust-lang/setup-rust-toolchain@ac90e63697ac2784f4ecfe2964e1a285c304003a - goto-bus-stop/setup-zig@v2.2.1 → goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 - addnab/docker-run-action@v3 → addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 - cross-platform-actions/action@v0.25.0 → cross-platform-actions/action@cdc9ee69ef84a5f2e59c9058335d9c57bcb4ac86 1. **Security**: Prevents supply chain attacks through compromised or moved tags 2. **Reproducibility**: Ensures workflows always run the same code 3. **Auditability**: Makes it clear exactly what code is being executed 4. **Compliance**: Follows GitHub's security best practices for Actions - All SHA references have been verified to exist in their respective repositories - Original tag/branch names are preserved as comments for maintainability - No functional changes to workflow behavior - only reference pinning
14 hours ago
by jaysoo
Succeeded
32657
4f444e59 chore(repo): pin GitHub Actions to commit SHAs for security GitHub Actions in workflow files use mutable references (tags/branches) which can be modified after initial use, posing a security risk. If a tag is moved to a different commit or if an action repository is compromised, workflows could execute unintended code. All GitHub Actions should be pinned to specific commit SHAs to ensure workflows always execute the exact same code that was reviewed and tested. This follows GitHub's security best practices for Actions. - .github/workflows/ci.yml - .github/workflows/e2e-matrix.yml - .github/workflows/generate-embeddings.yml - .github/workflows/issue-notifier.yml - .github/workflows/lock-threads.yml - .github/workflows/npm-audit.yml - .github/workflows/pr-title-validation.yml - .github/workflows/schedule-stale.yml Converted all action references from mutable tags/branches to immutable SHA references: **Core Actions:** - actions/checkout@v4 → actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - actions/setup-node@v4 → actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 - actions/cache@v4 → actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 - actions/upload-artifact@v4 → actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - actions/download-artifact@v4 → actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 - actions/github-script@v7.1.0 → actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b - actions/stale@v9.0.0 → actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e **Third-party Actions:** - pnpm/action-setup@v4 → pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda - nrwl/nx-set-shas@v4 → nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 - browser-actions/setup-chrome@v1 → browser-actions/setup-chrome@c785b87e244131f27c9f19c1a33e2ead956ab7ce - dtolnay/rust-toolchain@stable → dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - gradle/actions/setup-gradle@v4 → gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 - dessant/lock-threads@v4 → dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 - ravsamhq/notify-slack-action@v2 → ravsamhq/notify-slack-action@042f29088bb3bdbda5b4ff7b4818466a277fa8f7 - oven-sh/setup-bun@v1 → oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 - dawidd6/action-download-artifact@v2 → dawidd6/action-download-artifact@b7ae8e834b3579243d2b8519bafd41922491bb88 - slackapi/slack-github-action@v1.23.0 → slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 - mxschmitt/action-tmate@v3.8 → mxschmitt/action-tmate@b926bc441c90cceb124409125658bbe544a2e1dd **Previously Updated (publish.yml):** - actions-rust-lang/setup-rust-toolchain@v1 → actions-rust-lang/setup-rust-toolchain@ac90e63697ac2784f4ecfe2964e1a285c304003a - goto-bus-stop/setup-zig@v2.2.1 → goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 - addnab/docker-run-action@v3 → addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 - cross-platform-actions/action@v0.25.0 → cross-platform-actions/action@cdc9ee69ef84a5f2e59c9058335d9c57bcb4ac86 1. **Security**: Prevents supply chain attacks through compromised or moved tags 2. **Reproducibility**: Ensures workflows always run the same code 3. **Auditability**: Makes it clear exactly what code is being executed 4. **Compliance**: Follows GitHub's security best practices for Actions - All SHA references have been verified to exist in their respective repositories - Original tag/branch names are preserved as comments for maintainability - No functional changes to workflow behavior - only reference pinning
16 hours ago
by jaysoo
Canceled
32657
43a4d619 chore(repo): pin GitHub Actions to commit SHAs for security ## Current Behavior GitHub Actions in workflow files use mutable references (tags/branches) which can be modified after initial use, posing a security risk. If a tag is moved to a different commit or if an action repository is compromised, workflows could execute unintended code. ## Expected Behavior All GitHub Actions should be pinned to specific commit SHAs to ensure workflows always execute the exact same code that was reviewed and tested. This follows GitHub's security best practices for Actions. ## Related Issue(s) Fixes #security-hardening ## Changes Made ### Updated Workflow Files (8 total): - .github/workflows/ci.yml - .github/workflows/e2e-matrix.yml - .github/workflows/generate-embeddings.yml - .github/workflows/issue-notifier.yml - .github/workflows/lock-threads.yml - .github/workflows/npm-audit.yml - .github/workflows/pr-title-validation.yml - .github/workflows/schedule-stale.yml ### Actions Updated (~60 references): Converted all action references from mutable tags/branches to immutable SHA references: **Core Actions:** - actions/checkout@v4 → actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 - actions/setup-node@v4 → actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 - actions/cache@v4 → actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 - actions/upload-artifact@v4 → actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 - actions/download-artifact@v4 → actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 - actions/github-script@v7.1.0 → actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b - actions/stale@v9.0.0 → actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e **Third-party Actions:** - pnpm/action-setup@v4 → pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda - nrwl/nx-set-shas@v4 → nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 - browser-actions/setup-chrome@v1 → browser-actions/setup-chrome@c785b87e244131f27c9f19c1a33e2ead956ab7ce - dtolnay/rust-toolchain@stable → dtolnay/rust-toolchain@5d458579430fc14a04a08a1e7d3694f545e91ce6 - gradle/actions/setup-gradle@v4 → gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 - dessant/lock-threads@v4 → dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 - ravsamhq/notify-slack-action@v2 → ravsamhq/notify-slack-action@042f29088bb3bdbda5b4ff7b4818466a277fa8f7 - oven-sh/setup-bun@v1 → oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 - dawidd6/action-download-artifact@v2 → dawidd6/action-download-artifact@b7ae8e834b3579243d2b8519bafd41922491bb88 - slackapi/slack-github-action@v1.23.0 → slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 - mxschmitt/action-tmate@v3.8 → mxschmitt/action-tmate@b926bc441c90cceb124409125658bbe544a2e1dd **Previously Updated (publish.yml):** - actions-rust-lang/setup-rust-toolchain@v1 → actions-rust-lang/setup-rust-toolchain@ac90e63697ac2784f4ecfe2964e1a285c304003a - goto-bus-stop/setup-zig@v2.2.1 → goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 - addnab/docker-run-action@v3 → addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 - cross-platform-actions/action@v0.25.0 → cross-platform-actions/action@cdc9ee69ef84a5f2e59c9058335d9c57bcb4ac86 ## Benefits 1. **Security**: Prevents supply chain attacks through compromised or moved tags 2. **Reproducibility**: Ensures workflows always run the same code 3. **Auditability**: Makes it clear exactly what code is being executed 4. **Compliance**: Follows GitHub's security best practices for Actions ## Notes - All SHA references have been verified to exist in their respective repositories - Original tag/branch names are preserved as comments for maintainability - No functional changes to workflow behavior - only reference pinning
17 hours ago
by jaysoo
Succeeded
32657
f23532f0 chore(repo): pin actions to shas
19 hours ago
by jaysoo
Previous page
Previous
Next
Next page
