CodeQL Alert Details
| Field |
Value |
| Alert Number |
#1 |
| Severity |
MEDIUM |
| SLA |
60 days |
| Rule ID |
actions/unpinned-tag |
| File |
.github/workflows/release-please.yml |
| Location |
Line 16 |
| Tool |
CodeQL v2.24.3 |
Rule Description
Unpinned tag for a non-immutable Action in workflow
Finding
Unpinned 3rd party Action 'Release Please' step Uses Step: release uses 'googleapis/release-please-action' with ref 'v4', not a pinned commit hash
Location
.github/workflows/release-please.yml:16
Rule Tags
actions, external/cwe/cwe-829, security
Remediation
Review the code at the specified location and apply the recommended fix.
See the CodeQL alert for detailed remediation guidance.
Links
Auto-generated from CodeQL alert on 2026-03-22
This issue will sync to Linear for triage and remediation tracking.
CodeQL Alert Details
actions/unpinned-tag.github/workflows/release-please.ymlRule Description
Unpinned tag for a non-immutable Action in workflow
Finding
Unpinned 3rd party Action 'Release Please' step Uses Step: release uses 'googleapis/release-please-action' with ref 'v4', not a pinned commit hash
Location
Rule Tags
actions, external/cwe/cwe-829, security
Remediation
Review the code at the specified location and apply the recommended fix.
See the CodeQL alert for detailed remediation guidance.
Links
Auto-generated from CodeQL alert on 2026-03-22
This issue will sync to Linear for triage and remediation tracking.