TestingGatesGatesworkflow-sha-pinning

workflow-sha-pinning

Field	Value
ID	`workflow-sha-pinning`
Version	`1.0.0`
Mode	`static`
Layer	Stripe
Category	`security`
Severity	🟡 warning
SLA	5,000 ms
Depends on	none
Source	`packages/testing/src/gates/workflow-sha-pinning.gate.ts`

What it asserts

Every third-party `uses: <owner>/<action>@<ref>` in .github/workflows/ is pinned to a 40-char SHA (post-TanStack hardening).

Run it locally

bun run gates --gate=workflow-sha-pinning

See also

static mode
Stripe layer
Allowlists — how to bound a known finding with an expiration
Contributing — how to evolve this gate or write a new one

Generated by apps/design/scripts/generate-gate-pages.ts from the gate's source-of-truth metadata. Edit this page by editing the gate file's description / version / etc.

webhook-sequence-property

Per-entity webhook sequence validator accepts every clean interleaving and rejects every single-event mutation (drop / duplicate / bump).

On this page

What it asserts Run it locally See also