Skip to content

docs: document actions pinning policy#136

Merged
CoderDeltaLAN merged 1 commit into
mainfrom
supply-chain/decide-actions-pinning-policy
Jun 21, 2026
Merged

docs: document actions pinning policy#136
CoderDeltaLAN merged 1 commit into
mainfrom
supply-chain/decide-actions-pinning-policy

Conversation

@CoderDeltaLAN

@CoderDeltaLAN CoderDeltaLAN commented Jun 21, 2026

Copy link
Copy Markdown
Owner

Summary:

  • Documents the accepted GitHub Actions pinning policy decision for this repository.
  • Adds implementation guardrails for future full-length SHA pinning without changing workflow action references in this phase.
  • Updates the existing supply-chain evaluation record and CHANGELOG.

Scope:

  • Documentation-only supply-chain policy decision.
  • No workflow action references changed.
  • No release, tag, PyPI, branch protection, runtime behavior, dependency, Scorecard, or CodeQL changes.

Validation:

  • Local checks passed: 165 tests, ruff, text hygiene, git whitespace.
  • Post-release audit passed after commit.
  • Strong pre-push passed.
  • Diff reviewed and staged exactly.

Risk:

  • Low runtime risk because this phase does not change CI execution or product behavior.
  • Follow-up SHA pinning implementation must preserve sub-action paths exactly.

Rollback:

  • Revert this PR if the policy needs to be withdrawn or rewritten before v0.4.0.

@CoderDeltaLAN CoderDeltaLAN merged commit 5c02030 into main Jun 21, 2026
4 checks passed
@CoderDeltaLAN CoderDeltaLAN deleted the supply-chain/decide-actions-pinning-policy branch June 21, 2026 05:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@CoderDeltaLAN