build: pin peter-evans/repository-dispatch to commit SHA (#29554)

XananasX7 · copybara-github · commit 593828358bd4 · 2026-05-20T08:36:54.000-07:00
Pin `peter-evans/repository-dispatch` to full commit SHA instead of mutable `v4` tag. This workflow has access to `secrets.BAZEL_DOC_TRIGGER_TOKEN` (a fine-grained PAT with write access to bazel-contrib/bazel-docs). Pinning to SHA ensures immutability and prevents supply chain attacks via tag manipulation of the third-party action. Ref: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions Closes #29554. PiperOrigin-RevId: 918468468 Change-Id: I3dc6a7f78d07b3584908c5f7e6d0e6d4747ce6c5
diff --git a/.github/workflows/trigger-docs-update.yml b/.github/workflows/trigger-docs-update.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Trigger build of bazel-docs
-        uses: peter-evans/repository-dispatch@v4
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4
         with:
           repository: bazel-contrib/bazel-docs
           # Fine-grained PAT (https://github.com/settings/personal-access-tokens/new), which needs
