[BUG] Failure due to actions/github-script@v7 when pinned SHA is required #1858
Description
Describe the bug
When I enable Require actions to be pinned to a full-length commit SHA in my repository settings and use codecov-action with a SHA like this:
steps:
- uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5codecov-action fails with the error message below:
Error: The action actions/github-script@v7 is not allowed in ybiquitous/bem-ts because all actions must be from a repository owned by ybiquitous, created by GitHub, or verified in the GitHub Marketplace. All actions must also be pinned to a full-length commit SHA.
I guess the reason is that actions/github-script@v7 is used in codecov-action here:
Line 226 in 2db07e3
To Reproduce
- Enable Require actions to be pinned to a full-length commit SHA in your repository settings
- Run your workflow with
codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
Expected behavior
codecov-action is successful.
Regression
I don't think this is regression.
Screenshots
Product Area
N/A
Versions
- OS: any
- Git Host: GitHub
- CI/CD: GitHub Actions
- Uploader:
codecov-action@v5
Commit and CI link
Additional context
The feature of pinning SHAs has been released recently:
https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/
If I understand correctly, I guess pinning actions/github-script could resolve this issue, e.g.,
- uses: actions/github-script@v7
+ uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1