Skip to content

ci: pin oven-sh/setup-bun to a commit SHA#21486

Open
eliottreich wants to merge 1 commit into
getsentry:developfrom
eliottreich:fix/pin-setup-bun-sha
Open

ci: pin oven-sh/setup-bun to a commit SHA#21486
eliottreich wants to merge 1 commit into
getsentry:developfrom
eliottreich:fix/pin-setup-bun-sha

Conversation

@eliottreich

@eliottreich eliottreich commented Jun 12, 2026

Copy link
Copy Markdown

Pins oven-sh/setup-bun from the mutable v2 tag to the exact commit that tag points to today (0c5077e51419...) in build.yml (3 places), keeping a # v2 comment. A mutable tag can be re-pointed upstream; pinning to a commit SHA makes the action immutable, the GitHub-recommended hardening for third-party actions. Dependabot (already configured here) can keep the pin current.

  • If you've added code that should be tested, please add tests. — N/A, CI configuration change only.
  • Ensure your code lints and the test suite passes. — N/A, no application code changed; ref-only edit.
  • Link an issue if there is one. — no issue; happy to open one if preferred.

Ref-only: the pinned SHA is the exact commit v2 resolves to today, so behavior is unchanged.

A repository-specific security report with the other categories reviewed (public files only): https://www.task-bounty.com/fix-more?repo=getsentry/sentry-javascript

Prepared by TaskBounty. Glad to adjust or close if this isn't useful.

@eliottreich
ci: pin oven-sh/setup-bun to a commit SHA
1e1ab5b 
Replaces the mutable @v2 tag with the commit it points to (0c5077e51419868618aeaa5fe8019c62421857d6) in
3 places in build.yml, keeping a # v2 comment. Ref-only, no behavior change.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eliottreich