fix: pin 1password CLI action and fix gh secret set stdin handling

claude · claude · commit d7d176dcdc8e · 2026-03-08T21:22:58.000Z
Pin 1password/install-cli-action to commit SHA (v2.0.2) for supply chain security. Remove erroneous --body - flag from gh secret set which passed the literal string "-" instead of reading piped stdin. https://claude.ai/code/session_01SvzkZUEyQnbHgMWodBoq65
diff --git a/.github/actions/1password-secret-sync/action.yml b/.github/actions/1password-secret-sync/action.yml
@@ -36,7 +36,8 @@ runs:
   using: 'composite'
   steps:
     - name: Install 1Password CLI
-      uses: 1password/install-cli-action@v2
+      # Pin to commit SHA for supply chain security — update when action changes
+      uses: 1password/install-cli-action@9a0c9dd934086b7ab1d90115d455bda1c53c2bdb # v2.0.2
 
     - name: Sync secrets
       id: sync
@@ -113,7 +114,7 @@ runs:
               echo "[DRY RUN] Would set '$target_name' on $target_repo"
               skipped=$((skipped + 1))
             else
-              if echo "$value" | gh secret set "$target_name" --repo "$target_repo" --body -; then
+              if echo "$value" | gh secret set "$target_name" --repo "$target_repo"; then
                 echo "Set '$target_name' on $target_repo"
                 synced=$((synced + 1))
               else
