Compliance: unpinned-actions-dependency-audit.yml

[don-petry]

Compliance Finding

Category: action-pinning
Severity: error
Check: unpinned-actions-dependency-audit.yml

Detail

Workflow dependency-audit.yml has 1 action(s) not pinned to SHA: uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Standard Reference

standards/ci-standards.md#action-pinning-policy

Remediation

Please review the linked standard and bring this repository into compliance.

See the full standards documentation for implementation guidance.

---

This issue was automatically created by the weekly compliance audit.

[don-petry]

Weekly Compliance Audit (2026-04-09)

This finding is still open.

Detail: Workflow dependency-audit.yml has 1 action(s) not pinned to SHA: uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Standard: standards/ci-standards.md#action-pinning-policy

[don-petry]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[don-petry]

Weekly Compliance Audit (2026-04-10)

This finding is still open.

Detail: Workflow dependency-audit.yml has 1 action(s) not pinned to SHA: uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Standard: standards/ci-standards.md#action-pinning-policy

[don-petry]

Claude finished @don-petry's task in 2m 27s —— View job • claude/issue-89-20260414-1321 • Create PR ➔

---

Fixing Unpinned Action in dependency-audit.yml

• Gather context and read current workflow file
• Fetch standard template from petry-projects/.github
• Look up SHA for dependency-audit-reusable.yml@v1 → 208ec2d69b75227d375edf8745d84fbac05a76b2
• Apply fix (pin to SHA)
• Commit and push
• Create PR — CI is green ✓

What was done: Pinned the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA 208ec2d69b75227d375edf8745d84fbac05a76b2 # v1, satisfying the org action-pinning policy.

View PR #104 |

[don-petry]

Weekly Compliance Audit (2026-04-17)

This finding is still open.

Detail: Workflow dependency-audit.yml has 1 action(s) not pinned to SHA: uses: petry-projects/.github/.github/workflows/dependency-audit-reusable.yml@v1

Standard: standards/ci-standards.md#action-pinning-policy

[don-petry]

Claude finished @don-petry's task in 2m 20s —— View job • claude/issue-89-20260420-1133 • [Create PR ➔](https://github.com/petry-projects/TalkTerm/compare/main...claude/issue-89-20260420-1133?quick_pull=1&title=Issue%20%2389%3A%20Changes%20from%20Claude&body=This%20PR%20addresses%20issue%20%2389%0A%0AGenerated%20with%20%5BClaude%20Code%5D(https%3A%2F%2Fclaude.ai%2Fcode)

---

Fixing Unpinned Action in dependency-audit.yml

• Gather context and read current workflow file
• Fetch standard template from petry-projects/.github/standards/workflows/
• Look up current SHA for dependency-audit-reusable.yml@v1 → ee22b427cbce9ecadcf2b436acb57c3adf0cb63d
• Apply fix (pin to SHA)
• Commit and push
• Create PR — #120

What was done: Pinned the reusable workflow reference in .github/workflows/dependency-audit.yml from the mutable @v1 tag to the exact commit SHA ee22b427cbce9ecadcf2b436acb57c3adf0cb63d # v1, satisfying the org action-pinning policy.

Note: PR #104 from a previous run (2026-04-14) is still open with the same fix but using an older SHA (208ec2d69b75227d375edf8745d84fbac05a76b2). This new PR uses the current SHA resolved from the v1 tag. Either PR will resolve the compliance finding; #104 should be closed in favour of #120.
| Branch