Skip to content

ci: pin OSV scanner actions to v2.3.8 release#45

Merged
yunseo-kim merged 1 commit into
mainfrom
ci/pin-osv-scanner-v2.3.8
Jun 6, 2026
Merged

ci: pin OSV scanner actions to v2.3.8 release#45
yunseo-kim merged 1 commit into
mainfrom
ci/pin-osv-scanner-v2.3.8

Conversation

@yunseo-kim

@yunseo-kim yunseo-kim commented Jun 6, 2026

Copy link
Copy Markdown
Member

Update google/osv-scanner-action from 43f380b to v2.3.8 (9a49870) in both reusable workflows:

  • osv-scanner-pr-reusable.yml
  • osv-scanner-full-reusable.yml

This pins the actions to the last release tag instead of floating on the main branch, ensuring reproducible and stable CI runs.

Summary

Pin google/osv-scanner-action to the v2.3.8 release commit SHA (9a498708959aeaef5ef730655706c5a1df1edbc2) in both reusable workflows, replacing the previous SHA (43f380b8fc43a816831a9f5ee6fc91170809c7e9).

This ensures reproducible CI runs by tracking release tags instead of floating commits on the main branch.

Related Issues

  • Closes #
  • Related #

Change Type

  • Bug fix
  • Feature
  • Refactor
  • Documentation
  • Test/CI
  • Breaking change
  • Other:

Checklist

General

  • PR title follows Conventional Commits format: type(scope): Summary
  • This PR does not expose backend/internal implementation details in a public repo.
  • No secrets, tokens, keys, or private endpoints are included.
  • Changes stay within this repository's intended scope.

CI/Workflow Changes (if applicable)

If this PR modifies GitHub Actions workflows or CI/CD configuration, it must comply with our Supply Chain Integrity requirements:

  • All uses: references are pinned to full 40-character commit SHAs (with # vX.Y.Z comment)
  • step-security/harden-runner is included as the first step in every job
  • Job-level permissions are used instead of top-level permissions

Protocol / Compatibility Impact

  • No protocol/spec impact
  • Protocol/spec updated
  • Conformance tests updated
  • Breaking change is versioned and migration notes are included

If impacted, describe compatibility impact:

Testing

  • Unit tests added/updated
  • Integration or conformance tests added/updated
  • Tests pass
  • Lint and format pass
  • Type check passes
  • Manual verification performed

Describe test evidence:

Documentation

  • README updated
  • Spec/docs updated
  • Changelog/release notes updated (if needed)

Rollout / Risk

  • Risk level: Low
  • Rollback plan: Revert this PR to restore the previous pinned SHA.

Reviewer Checklist

  • Scope is clear and minimal
  • Security and boundary checks passed
  • Tests and docs are sufficient
  • Compatibility impact is correctly handled

@yunseo-kim
ci: pin OSV scanner actions to v2.3.8 release
755ff47 
Update google/osv-scanner-action from 43f380b to v2.3.8
(9a49870) in both reusable workflows:
- osv-scanner-pr-reusable.yml
- osv-scanner-full-reusable.yml

This pins the actions to the last release tag instead of floating
on the main branch, ensuring reproducible and stable CI runs.

Signed-off-by: Yunseo Kim <git@yunseo.kim>
@yunseo-kim yunseo-kim merged commit 63e5e93 into main Jun 6, 2026
10 checks passed
@yunseo-kim yunseo-kim deleted the ci/pin-osv-scanner-v2.3.8 branch June 6, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yunseo-kim