From d7d176dcdc8e7ae0ddcfed04da6bbfa6090df1ec Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 8 Mar 2026 21:22:58 +0000
Subject: [PATCH] fix: pin 1password CLI action and fix gh secret set stdin
 handling

Pin 1password/install-cli-action to commit SHA (v2.0.2) for supply
chain security. Remove erroneous --body - flag from gh secret set
which passed the literal string "-" instead of reading piped stdin.

https://claude.ai/code/session_01SvzkZUEyQnbHgMWodBoq65
---
 .github/actions/1password-secret-sync/action.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/actions/1password-secret-sync/action.yml b/.github/actions/1password-secret-sync/action.yml
index 67fcdcc..4c3b427 100644
--- a/.github/actions/1password-secret-sync/action.yml
+++ b/.github/actions/1password-secret-sync/action.yml
@@ -36,7 +36,8 @@ runs:
   using: 'composite'
   steps:
     - name: Install 1Password CLI
-      uses: 1password/install-cli-action@v2
+      # Pin to commit SHA for supply chain security — update when action changes
+      uses: 1password/install-cli-action@9a0c9dd934086b7ab1d90115d455bda1c53c2bdb # v2.0.2
 
     - name: Sync secrets
       id: sync
@@ -113,7 +114,7 @@ runs:
               echo "[DRY RUN] Would set '$target_name' on $target_repo"
               skipped=$((skipped + 1))
             else
-              if echo "$value" | gh secret set "$target_name" --repo "$target_repo" --body -; then
+              if echo "$value" | gh secret set "$target_name" --repo "$target_repo"; then
                 echo "Set '$target_name' on $target_repo"
                 synced=$((synced + 1))
               else