We’ve updated all third-party GitHub Actions used in Pipelines to support SHA pinning. That means every external action is now referenced by a specific commit SHA instead of a mutable tag like v3 or latest.

Why this matters:

• Improved security: You’re protected from upstream changes or compromised tags.
• Policy compliance: Pipelines now work seamlessly with GitHub’s SHA pinning enforcement.
• More predictable builds: No surprises from action updates outside your control.

To take advantage of this, no action is required if your organization already enforces SHA pinning. Pipelines workflows should now run without being blocked. If you’re curious about enabling this to improve your security posture, GitHub has a good overview.