Problem
One or more workflow files reference org reusable workflows using `@main` instead of a pinned commit SHA:
- `.github/workflows/ci.yml` line 32: `uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@main`
- `.github/workflows/codecov.yml` line 26: `uses: ByronWilliamsCPA/.github/.github/workflows/python-codecov.yml@main`
- `.github/workflows/container-security.yml` line 42: `uses: ByronWilliamsCPA/.github/.github/workflows/python-container-security.yml@main`
- `.github/workflows/docs.yml` line 32: `uses: ByronWilliamsCPA/.github/.github/workflows/python-docs.yml@main`
- `.github/workflows/mutation-testing.yml` line 43: `uses: ByronWilliamsCPA/.github/.github/workflows/python-mutation.yml@main`
- `.github/workflows/pr-validation.yml` line 31: `uses: ByronWilliamsCPA/.github/.github/workflows/python-pr-validation.yml@main`
- `.github/workflows/publish-pypi.yml` line 20: `uses: ByronWilliamsCPA/.github/.github/workflows/python-publish-pypi.yml@main`
- `.github/workflows/release.yml` line 47: `uses: ByronWilliamsCPA/.github/.github/workflows/python-release.yml@main`
- `.github/workflows/sbom.yml` line 40: `uses: ByronWilliamsCPA/.github/.github/workflows/python-sbom.yml@main`
- `.github/workflows/scorecard.yml` line 30: `uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@main`
- `.github/workflows/security-analysis.yml` line 35: `uses: ByronWilliamsCPA/.github/.github/workflows/python-security-analysis.yml@main`
- `.github/workflows/slsa-provenance.yml` line 101: `uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@main`
Floating on `@main` is a supply chain risk: any commit pushed to the org `.github` repo is immediately live in this repository's CI without review or approval. A compromised or accidentally broken org workflow would silently affect all callers on `@main`.
Fix
Pin each `uses:` reference to the current org repo HEAD SHA `6bad2f898be1d387b8424e9deddefa519674cb19` (which includes the PR 43 concurrency fix and the PR 44 permission documentation):
uses: ByronWilliamsCPA/.github/.github/workflows/python-ci.yml@6bad2f898be1d387b8424e9deddefa519674cb19 # main
Add a `# main` comment after the SHA so the branch context is preserved for future updates.
Update all org reusable workflow references in a single commit. Run `pre-commit run --all-files` to confirm no hook failures before pushing.
References
Problem
One or more workflow files reference org reusable workflows using `@main` instead of a pinned commit SHA:
Floating on `@main` is a supply chain risk: any commit pushed to the org `.github` repo is immediately live in this repository's CI without review or approval. A compromised or accidentally broken org workflow would silently affect all callers on `@main`.
Fix
Pin each `uses:` reference to the current org repo HEAD SHA `6bad2f898be1d387b8424e9deddefa519674cb19` (which includes the PR 43 concurrency fix and the PR 44 permission documentation):
Add a `# main` comment after the SHA so the branch context is preserved for future updates.
Update all org reusable workflow references in a single commit. Run `pre-commit run --all-files` to confirm no hook failures before pushing.
References