From 46f37ae4fbd73b440da50f7be068aadb2478f87d Mon Sep 17 00:00:00 2001 From: Andriy Kalashnykov Date: Sun, 29 Mar 2026 17:16:56 -0400 Subject: [PATCH] chore: pin actions to commit SHAs and add Skills section to CLAUDE.md Pin all GitHub Actions to commit SHAs instead of mutable version tags across ci.yml, release.yml, maintenance.yml, and all reusable workflows. This prevents supply-chain attacks via tag hijacking. Add the required Skills section to CLAUDE.md mapping project files (README.md, .github/workflows/*.yml) to their respective review skills. --- .github/workflows/ci.yml | 26 ++++++++++++------------- .github/workflows/maintenance.yml | 10 +++++----- .github/workflows/release.yml | 2 +- .github/workflows/reusable-release.yml | 2 +- .github/workflows/reusable-test.yml | 14 ++++++------- .github/workflows/reusable-validate.yml | 4 ++-- CLAUDE.md | 11 +++++++++++ 7 files changed, 40 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e82760b..557b5c9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,10 +34,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js ${{ matrix.node }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} @@ -68,7 +68,7 @@ jobs: - name: Cache npm if: matrix.pm == 'npm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.npm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-npm-${{ hashFiles('**/package-lock.json') }} @@ -83,7 +83,7 @@ jobs: - name: Cache pnpm if: matrix.pm == 'pnpm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.pnpm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -104,7 +104,7 @@ jobs: - name: Cache yarn if: matrix.pm == 'yarn' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ matrix.node }}-yarn-${{ hashFiles('**/yarn.lock') }} @@ -113,7 +113,7 @@ jobs: - name: Cache bun if: matrix.pm == 'bun' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }} @@ -146,7 +146,7 @@ jobs: # Upload test artifacts on failure - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ matrix.os }}-node${{ matrix.node }}-${{ matrix.pm }} path: | @@ -160,10 +160,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' @@ -205,10 +205,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' @@ -223,10 +223,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml index 5d30084..7ad2621 100644 --- a/.github/workflows/maintenance.yml +++ b/.github/workflows/maintenance.yml @@ -15,8 +15,8 @@ jobs: name: Check Dependencies runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' - name: Check for outdated packages @@ -26,8 +26,8 @@ jobs: name: Security Audit runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20.x' - name: Run security audit @@ -43,7 +43,7 @@ jobs: name: Stale Issues/PRs runs-on: ubuntu-latest steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: stale-issue-message: 'This issue is stale due to inactivity.' stale-pr-message: 'This PR is stale due to inactivity.' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 524880a..a31c08b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml index c5df413..01cd4fe 100644 --- a/.github/workflows/reusable-release.yml +++ b/.github/workflows/reusable-release.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/reusable-test.yml b/.github/workflows/reusable-test.yml index 2f362e2..1446c57 100644 --- a/.github/workflows/reusable-test.yml +++ b/.github/workflows/reusable-test.yml @@ -27,10 +27,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.node-version }} @@ -59,7 +59,7 @@ jobs: - name: Cache npm if: inputs.package-manager == 'npm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.npm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-npm-${{ hashFiles('**/package-lock.json') }} @@ -74,7 +74,7 @@ jobs: - name: Cache pnpm if: inputs.package-manager == 'pnpm' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.pnpm-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }} @@ -95,7 +95,7 @@ jobs: - name: Cache yarn if: inputs.package-manager == 'yarn' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache-dir.outputs.dir }} key: ${{ runner.os }}-node-${{ inputs.node-version }}-yarn-${{ hashFiles('**/yarn.lock') }} @@ -104,7 +104,7 @@ jobs: - name: Cache bun if: inputs.package-manager == 'bun' - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.bun/install/cache key: ${{ runner.os }}-bun-${{ hashFiles('**/bun.lockb') }} @@ -134,7 +134,7 @@ jobs: - name: Upload test artifacts if: failure() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-${{ inputs.os }}-node${{ inputs.node-version }}-${{ inputs.package-manager }} path: | diff --git a/.github/workflows/reusable-validate.yml b/.github/workflows/reusable-validate.yml index 0aa1464..6612b68 100644 --- a/.github/workflows/reusable-validate.yml +++ b/.github/workflows/reusable-validate.yml @@ -17,10 +17,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ inputs.node-version }} diff --git a/CLAUDE.md b/CLAUDE.md index 10064cc..a3053d7 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -59,3 +59,14 @@ Follow the formats in CONTRIBUTING.md: - Hooks: JSON with matcher and hooks array File naming: lowercase with hyphens (e.g., `python-reviewer.md`, `tdd-workflow.md`) + +## Skills + +Use the following skills when working on related files: + +| File(s) | Skill | +|---------|-------| +| `README.md` | `/readme` | +| `.github/workflows/*.yml` | `/ci-workflow` | + +When spawning subagents, always pass conventions from the respective skill into the agent's prompt.