Skip to content

chore(security): uses pinned versions of actions#238

Open
jcchavezs wants to merge 1 commit into
auth0:mainfrom
jcchavezs:pin-gh-actions
Open

chore(security): uses pinned versions of actions#238
jcchavezs wants to merge 1 commit into
auth0:mainfrom
jcchavezs:pin-gh-actions

Conversation

@jcchavezs

Copy link
Copy Markdown
Contributor

This pull request updates the GitHub Actions workflow files to use pinned commit SHAs for all third-party actions, improving security and reproducibility.

@jcchavezs
jcchavezs requested a review from a team as a code owner June 9, 2026 15:38

@kishore7snehil kishore7snehil left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

kishore7snehil added a commit that referenced this pull request Jun 10, 2026
## Changes

- Pin all third-party GitHub Actions to full-length commit SHAs (with
version comments) across the `release`, `rl-scanner`, `snyk`, and
`tests` workflows, improving security and reproducibility
- Bump `shivammathur/setup-php` from 2.32.0 to 2.37.2
- Fix `SessionStore::delete()` to capture the session once, removing
redundant nullsafe operators flagged by PHPStan (`nullsafe.neverNull`)
- Align `Auth0Bundle::loadExtension()` parameter names with the parent
`AbstractBundle`/`ConfigurableExtensionInterface` signature, resolving a
Psalm `ParamNameMismatch`
- Add a `.snyk` policy to ignore the false-positive "Unknown license"
flag for `auth0/auth0-php` (the package is MIT-licensed)

Based on [#238](#238) by
([jcchavezs](https://github.com/jcchavezs)), and includes the
`shivammathur/setup-php` bump from
[#237](#237).

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: jcchavezs <josecarlos.chavez@owasp.org>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants