Problem
The pages.yml workflow uses older pinned action SHAs than ci.yml and release.yml, creating version inconsistency across workflows:
| Action |
ci.yml / release.yml |
pages.yml |
| actions/checkout |
v6 (de0fac2) |
v4 (34e1148) |
| actions/setup-node |
N/A |
v4 (4993...) |
| actions/upload-pages-artifact |
N/A |
v3 (56afc60) |
| actions/deploy-pages |
N/A |
v4 (d6db901) |
Evidence
pages.yml line 23 uses actions/checkout@34e1148 (v4), while ci.yml line 36 and release.yml both use actions/checkout@de0fac2 (v6).
Impact
- Older action versions may contain known vulnerabilities or miss security hardening present in newer versions.
- Inconsistent versions across workflows make it harder to audit the supply chain — a reviewer checking ci.yml might assume all workflows use the same pinned versions.
- actions/checkout v4 vs v6 may have different behavior around sparse checkout, submodules, or token handling.
Suggested Fix
Update pages.yml to use the same pinned v6 SHA for actions/checkout as the other workflows, and bump the remaining actions to their latest major versions with pinned SHAs.
Problem
The pages.yml workflow uses older pinned action SHAs than ci.yml and release.yml, creating version inconsistency across workflows:
Evidence
pages.yml line 23 uses actions/checkout@34e1148 (v4), while ci.yml line 36 and release.yml both use actions/checkout@de0fac2 (v6).
Impact
Suggested Fix
Update pages.yml to use the same pinned v6 SHA for actions/checkout as the other workflows, and bump the remaining actions to their latest major versions with pinned SHAs.