fix(scripts): pin EricCrosson/retry to v1.4.8 with SHA256 digest

gokulhost · claude · gokulhost · commit 326cc6e2fa78 · 2026-06-09T15:32:11.000-07:00
Pins the retry binary to an exact version and checksum to address supply-chain security concerns in the npm publish pipeline. WCN-865 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/npmjs-release.yml b/.github/workflows/npmjs-release.yml
@@ -239,7 +239,7 @@ jobs:
       - name: Install retry
         uses: BitGo/install-github-release-binary@v2
         with:
-          targets: EricCrosson/retry@v1
+          targets: EricCrosson/retry@v1.4.8:sha256-15224553f40d5d16dcc1a696798741227c79670a41f43e522002e634aa1d7c64
 
       - name: Run yarn audit
         run: retry --up-to 2x --every 3s -- yarn run audit-high --retry-on-network-failure
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -39,7 +39,7 @@ jobs:
       - name: Install retry
         uses: BitGo/install-github-release-binary@v2
         with:
-          targets: EricCrosson/retry@v1
+          targets: EricCrosson/retry@v1.4.8:sha256-15224553f40d5d16dcc1a696798741227c79670a41f43e522002e634aa1d7c64
 
       - name: Audit Dependencies
         run: retry --up-to 2x --every 3s -- yarn run improved-yarn-audit --min-severity high --retry-on-network-failure
