From 138f2d4a915d0bef365c67fb0594a02bbccb236e Mon Sep 17 00:00:00 2001
From: Christopher Rotnes <christopher.rotnes@obos.no>
Date: Sat, 16 May 2026 00:32:28 +0200
Subject: [PATCH] security(#255): pin Azure/static-web-apps-deploy to commit
 SHA

Replaces mutable @v1 tag with the exact commit SHA it resolves to
(1a947af) in both ci.yml and cleanup-staging.yml, eliminating the
supply-chain risk of a tag being silently updated to run arbitrary
code in CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml              | 2 +-
 .github/workflows/cleanup-staging.yml | 4 ++--
 CHANGELOG.md                          | 5 +++++
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 594b1d0..0d000da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -89,7 +89,7 @@ jobs:
           VITE_SUPABASE_ANON_KEY: ${{ vars.VITE_SUPABASE_ANON_KEY }}
       - name: Deploy to Azure Static Web Apps
         id: builddeploy
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9  # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_ISLAND_090DFD003 }}
           repo_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/cleanup-staging.yml b/.github/workflows/cleanup-staging.yml
index 38014b8..7b3db7c 100644
--- a/.github/workflows/cleanup-staging.yml
+++ b/.github/workflows/cleanup-staging.yml
@@ -19,7 +19,7 @@ jobs:
     steps:
       - name: Close Pull Request
         id: close1
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9  # v1
         continue-on-error: true
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_ISLAND_090DFD003 }}
@@ -27,7 +27,7 @@ jobs:
 
       - name: Retry close (if first attempt failed)
         if: steps.close1.outcome == 'failure'
-        uses: Azure/static-web-apps-deploy@v1
+        uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9  # v1
         with:
           azure_static_web_apps_api_token: ${{ secrets.AZURE_STATIC_WEB_APPS_API_TOKEN_WHITE_ISLAND_090DFD003 }}
           action: "close"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f95c90e..62151ca 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 All notable changes to Workout Lens are documented here.
 
+## [1.5.12] — 2026-05-16
+
+### Security
+- **Pin `Azure/static-web-apps-deploy` to commit SHA (issue #255)** — both `ci.yml` and `cleanup-staging.yml` referenced `Azure/static-web-apps-deploy@v1`, a mutable tag that could be silently updated to run arbitrary code in CI. Pinned to the exact commit SHA (`1a947af`) that `v1` currently resolves to.
+
 ## [1.5.11] — 2026-05-16
 
 ### Developer / Infrastructure