From ed00612cf7107452d1e52044feda4305b410b81b Mon Sep 17 00:00:00 2001 From: Pascal Birchler Date: Fri, 11 Jul 2025 18:46:06 +0200 Subject: [PATCH] chore: pin GitHub Actions to SHAs (#2987) Co-authored-by: Jack Wotherspoon --- .github/workflows/ci.yml | 22 +++++++++---------- .github/workflows/community-report.yml | 2 +- .github/workflows/e2e.yml | 8 +++---- .../gemini-automated-issue-triage.yml | 2 +- .../gemini-scheduled-issue-triage.yml | 2 +- .../workflows/gemini-scheduled-pr-triage.yml | 4 ++-- .github/workflows/release.yml | 6 ++--- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c9524cc2..2ef43ed5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,10 +20,10 @@ jobs: node-version: [20.x, 22.x, 24.x] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' @@ -46,7 +46,7 @@ jobs: run: npm run typecheck - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: build-artifacts-${{ matrix.node-version }} path: | @@ -65,16 +65,16 @@ jobs: node-version: [20.x, 22.x, 24.x] # Should match the build job's matrix steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} cache: 'npm' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: build-artifacts-${{ matrix.node-version }} path: . # Download to the root, this will include package-lock.json and packages/*/dist @@ -92,7 +92,7 @@ jobs: - name: Publish Test Report (for non-forks) if: always() && (github.event.pull_request.head.repo.full_name == github.repository) - uses: dorny/test-reporter@v2 + uses: dorny/test-reporter@890a17cecf52a379fc869ab770a71657660be727 # v2 with: name: Test Results (Node ${{ matrix.node-version }}) path: packages/*/junit.xml @@ -101,13 +101,13 @@ jobs: - name: Upload Test Results Artifact (for forks) if: always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: test-results-fork-${{ matrix.node-version }} path: packages/*/junit.xml - name: Upload coverage reports - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: coverage-reports-${{ matrix.node-version }} @@ -127,10 +127,10 @@ jobs: node-version: [22.x] # Reduce noise by only posting the comment once steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Download coverage reports artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: coverage-reports-${{ matrix.node-version }} path: coverage_artifact # Download to a specific directory diff --git a/.github/workflows/community-report.yml b/.github/workflows/community-report.yml index e9a44081..28aa2cba 100644 --- a/.github/workflows/community-report.yml +++ b/.github/workflows/community-report.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Generate GitHub App Token 🔑 id: generate_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 8e91292d..745627a1 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -16,10 +16,10 @@ jobs: sandbox: [sandbox:none, sandbox:docker] steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20.x cache: 'npm' @@ -32,11 +32,11 @@ jobs: - name: Set up Docker if: matrix.sandbox == 'sandbox:docker' - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 - name: Set up Podman if: matrix.sandbox == 'sandbox:podman' - uses: redhat-actions/podman-login@v1 + uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/gemini-automated-issue-triage.yml b/.github/workflows/gemini-automated-issue-triage.yml index 7d20be3a..ed465980 100644 --- a/.github/workflows/gemini-automated-issue-triage.yml +++ b/.github/workflows/gemini-automated-issue-triage.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Generate GitHub App Token id: generate_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/gemini-scheduled-issue-triage.yml b/.github/workflows/gemini-scheduled-issue-triage.yml index b507ac09..781ae373 100644 --- a/.github/workflows/gemini-scheduled-issue-triage.yml +++ b/.github/workflows/gemini-scheduled-issue-triage.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Generate GitHub App Token id: generate_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/gemini-scheduled-pr-triage.yml b/.github/workflows/gemini-scheduled-pr-triage.yml index 4e5b532d..dc2228bc 100644 --- a/.github/workflows/gemini-scheduled-pr-triage.yml +++ b/.github/workflows/gemini-scheduled-pr-triage.yml @@ -19,11 +19,11 @@ jobs: prs_needing_comment: ${{ steps.run_triage.outputs.prs_needing_comment }} steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Generate GitHub App Token id: generate_token - uses: actions/create-github-app-token@v2 + uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2 with: app-id: ${{ secrets.APP_ID }} private-key: ${{ secrets.PRIVATE_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c6bca6a0..9c449702 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,7 +48,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: ref: ${{ github.sha }} fetch-depth: 0 @@ -69,7 +69,7 @@ jobs: echo "is_dry_run=${is_dry_run}" >> $GITHUB_OUTPUT - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' cache: 'npm' @@ -130,7 +130,7 @@ jobs: npm run prepare:package - name: Configure npm for publishing - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' registry-url: 'https://wombat-dressing-room.appspot.com'