From 3c81e057b9d82a121ac6af2a65dcf9fa0aeef0bb Mon Sep 17 00:00:00 2001 From: Lakshman Patel Date: Tue, 14 Jul 2026 06:45:27 +0530 Subject: [PATCH] chore(ci): pin third-party actions to commit SHAs, pin jscpd version, remove log truncation Removing '| head -50' on deadcode/jscpd output was hiding failures past line 50. Pinning actions/checkout, actions/setup-node, docker/* actions to SHA digests guards against tag-mutation supply-chain attacks. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3f72b8..1f74b63 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -190,7 +190,7 @@ jobs: node-version: '20' - name: jscpd run: | - npx jscpd --min-lines 5 --min-tokens 50 --reporters console --blame . 2>&1 | head -50 + npx --yes jscpd@5.0.12 --min-lines 5 --min-tokens 50 --reporters console --blame . # ------------------------------------------------------------------------- # Fuzz the transcript parser, which consumes untrusted JSONL transcripts