From a5233eaddb53a55d92763181fbc0ff309f911cf5 Mon Sep 17 00:00:00 2001
From: Prem Qu Nair <prem@cognition.ai>
Date: Mon, 9 Mar 2026 21:53:42 +0000
Subject: [PATCH 1/2] Pin Docker image to SHA digest for security

Replace :latest tag with pinned SHA256 digest to prevent supply chain attacks
from tag mutation.

Co-Authored-By: Staging-Devin AI <166158716+staging-devin-ai-integration[bot]@users.noreply.github.com>
---
 action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/action.yml b/action.yml
index 6f3dc3a..99107c5 100644
--- a/action.yml
+++ b/action.yml
@@ -30,4 +30,4 @@ outputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/multimediallc/codeowners-plus:latest'
+  image: 'docker://ghcr.io/multimediallc/codeowners-plus@sha256:8f9b834d270546cfafa9b3e6774722a93e7178fbeb08415c1bc2e655bb7f8637'

From 8126d04ea1e60cd463f2d6194c142e4eb0f0dfca Mon Sep 17 00:00:00 2001
From: Prem Qu Nair <prem@cognition.ai>
Date: Mon, 9 Mar 2026 21:55:40 +0000
Subject: [PATCH 2/2] Update prepare-release.sh sed patterns to handle @sha256:
 image format

The sed pattern for action.yml now matches both :TAG and @sha256:DIGEST
formats using [:@] character class.

Co-Authored-By: Staging-Devin AI <166158716+staging-devin-ai-integration[bot]@users.noreply.github.com>
---
 scripts/prepare-release.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/scripts/prepare-release.sh b/scripts/prepare-release.sh
index acf77cc..47b5d92 100755
--- a/scripts/prepare-release.sh
+++ b/scripts/prepare-release.sh
@@ -73,11 +73,11 @@ echo "Updating ${ACTIONS_FILE}, ${CLI_TOOL_FILE}, and ${README_FILE} to replace
 # For GNU sed (Linux), -i without an argument is fine.
 # For BSD sed (macOS), -i requires an argument (even if empty string for no backup).
 if sed --version 2>/dev/null | grep -q GNU; then # GNU sed
-  sed -i "s|codeowners-plus:.*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}"
+  sed -i "s|codeowners-plus[:@].*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}"
   sed -i "s|Version: .*|Version: \"${VERSION_TAG}\",|g" "${CLI_TOOL_FILE}"
   sed -i "s|codeowners-plus@.*|codeowners-plus@${VERSION_TAG}|g" "${README_FILE}"
 else # BSD sed (macOS)
-  sed -i '' "s|codeowners-plus:.*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}"
+  sed -i '' "s|codeowners-plus[:@].*'|codeowners-plus:${VERSION_TAG}'|g" "${ACTIONS_FILE}"
   sed -i '' "s|Version: .*|Version: \"${VERSION_TAG}\",|g" "${CLI_TOOL_FILE}"
   sed -i '' "s|codeowners-plus@.*|codeowners-plus@${VERSION_TAG}|g" "${README_FILE}"
 fi