Skip to content

ci: pin psf/black action to commit SHA, fixes #9317#9318

Merged
ThomasWaldmann merged 1 commit intoborgbackup:masterfrom
mr-raj12:pin-black-action-sha
Feb 13, 2026
Merged

ci: pin psf/black action to commit SHA, fixes #9317#9318
ThomasWaldmann merged 1 commit intoborgbackup:masterfrom
mr-raj12:pin-black-action-sha

Conversation

@mr-raj12
Copy link
Contributor

@mr-raj12 mr-raj12 commented Feb 13, 2026

Summary

Pin psf/black from the mutable @stable branch reference to a specific commit SHA (26.1.0).

  • @stable is a branch that moves with every new release — the action code can change without notice
  • The # 26.1.0 comment enables Dependabot (already configured) to automatically propose SHA update PRs
  • The version: "~= 24.0" formatter constraint is unchanged — this only pins the action wrapper

Fixes #9317

Details

GitHub recommends pinning third-party actions to full-length commit SHAs for supply-chain security. The March 2025 tj-actions/changed-files incident demonstrated how mutable action refs can be exploited.

Change: One line in .github/workflows/black.yaml.

# before
- uses: psf/black@stable

# after
- uses: psf/black@6305bf1ae645ab7541be4f5028a86239316178eb  # 26.1.0

@ThomasWaldmann ThomasWaldmann merged commit 0c989a0 into borgbackup:master Feb 13, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: pin psf/black action to commit SHA in lint workflow

2 participants

@mr-raj12 @ThomasWaldmann