chore: pin third-party GitHub Actions to commit SHAs (#511)

pkaeding · web-flow · commit 853c26dcefba · 2026-03-23T12:11:43.000-07:00
## Summary Pin all third-party GitHub Actions to full-length commit SHAs to prevent supply chain attacks. Addresses findings from the [`third-party-action-not-pinned-to-commit-sha`](https://github.com/launchdarkly/semgrep-rules/blob/main/github-actions/third-party-action-not-pinned-to-commit-sha.yml) Semgrep rule. ## Test plan - [ ] Verify CI passes with pinned action SHAs  --- > [!NOTE] > **Low Risk** > Low risk: CI-only change that pins an existing third-party action to a specific commit for supply-chain hardening, without altering inputs or behavior beyond the referenced revision. > > **Overview** > Pins the Linux `MarkusJx/install-boost` step in `.github/actions/install-boost/action.yml` from the `v2.4.4` tag to its full commit SHA, improving supply-chain security while keeping the same action version. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 56d9a44. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/.github/actions/install-boost/action.yml b/.github/actions/install-boost/action.yml
@@ -22,7 +22,7 @@ runs:
   steps:
     - name: Install boost using action
       if: runner.os == 'Linux'
-      uses: MarkusJx/install-boost@v2.4.4
+      uses: MarkusJx/install-boost@3039450bb3dd2e8630d1cf10ec39cb1da3054bbd # v2.4.4
       id: boost-action
       with:
         boost_version: 1.81.0
