From f5a9dd21a354f09d605f6a25bca22cd27eeb1946 Mon Sep 17 00:00:00 2001
From: WulfForge <krknapp@gmail.com>
Date: Thu, 14 May 2026 11:57:11 -0400
Subject: [PATCH] fix(ci): SHA-pin test-summary/action in preflight-eval
 workflow (#272 residual)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Aligns preflight-eval.yml with the test-mcp-regression.yml pin landed in
PR #273. Closes the last of #272's three CI-baseline regressions —
preflight-eval was the only remaining consumer of the unpinned mutable
@v2 tag whose published artifact silently broke between PR #257 and
PR #258 (index.js missing from the action's bundled output).

Same SHA (31493c76ec9e7aa675f1585d3ed6f1da69269a86, v2.4) used in
test-mcp-regression.yml:213 so a future bump is one grep-and-replace.

Per docs/policies/install-trust-model.md (OWASP A06 supply-chain
discipline): no GitHub Action runs in our CI from a mutable tag.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/preflight-eval.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/preflight-eval.yml b/.github/workflows/preflight-eval.yml
index 7d9679fc..e544c3af 100644
--- a/.github/workflows/preflight-eval.yml
+++ b/.github/workflows/preflight-eval.yml
@@ -95,7 +95,7 @@ jobs:
 
       - name: Surface results in step summary
         if: always()
-        uses: test-summary/action@v2
+        uses: test-summary/action@31493c76ec9e7aa675f1585d3ed6f1da69269a86  # v2.4 (#272 — match test-mcp-regression.yml pin)
         with:
           paths: "test-results/*.xml"
           show: fail, skip