Skip to content
Dependency Scan

chore: [SEC-7924] pin third-party GitHub Actions to commit SHAs #137

Sign in to view logs

chore: [SEC-7924] pin third-party GitHub Actions to commit SHAs

chore: [SEC-7924] pin third-party GitHub Actions to commit SHAs #137

Triggered via pull request March 24, 2026 14:44
@pkaedingpkaeding
opened #668
security/SEC-7924/pin-github-actions
Status Success
Total duration 2m 13s
Artifacts 3

dependency-scan.yml

on: pull_request
generate-go-sbom
1m 53s
generate-go-sbom
generate-nodejs-sbom
1m 44s
generate-nodejs-sbom
evaluate-policy
11s
evaluate-policy
Fit to window
Zoom out
Zoom in

Annotations

3 warnings
generate-nodejs-sbom
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4, actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8, actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
generate-go-sbom
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/checkout@v4, actions/setup-go@v5, actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8, actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/
evaluate-policy
Node.js 20 actions are deprecated. The following actions are running on Node.js 20 and may not work as expected: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57, actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e, actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b. Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026. Please check if updated versions of these actions are available that support Node.js 24. To opt into Node.js 24 now, set the FORCE_JAVASCRIPT_ACTIONS_TO_NODE24=true environment variable on the runner or in your workflow file. Once Node.js 24 becomes the default, you can temporarily opt out by setting ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION=true. For more information see: https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

Artifacts

Produced during runtime
Name Size Digest
bom-go Expired
10.2 KB
sha256:de485b9affe7dc3bb5569f094a7dccdb257c69467facb92240e83a55fa0e2a3d
bom-nodejs Expired
124 KB
sha256:a1de1c16ae3fa16becc31e09e34f4717a4d9435318e3cab8e59f35054b2721df
merged-bom
140 KB
sha256:24d367d0c78cea5fecd2acb30c08c1832ca78e3754a7c2f953fe6b184782fcab