From 368d9ab853d3b05f5bf822468d73d2c394cbc19e Mon Sep 17 00:00:00 2001 From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com> Date: Sat, 29 Nov 2025 08:51:16 -0500 Subject: [PATCH] ci: Pin GitHub Actions to specific commit SHAs Updated all workflow files to use exact commit SHAs for third-party actions instead of version tags. This improves security and reliability by ensuring workflows use immutable, reviewed versions of actions. --- .github/workflows/__call-codeql.yml | 2 +- .github/workflows/__call-common-lint.yml | 6 +++--- .github/workflows/__call-docker.yml | 12 ++++++------ .github/workflows/__call-release-notifier.yml | 2 +- .github/workflows/__call-update-flathub-repo.yml | 4 ++-- .github/workflows/__call-update-homebrew-repo.yml | 2 +- .github/workflows/__call-update-pacman-repo.yml | 4 ++-- .github/workflows/__call-update-winget-repo.yml | 4 ++-- .github/workflows/__cla-gist-replicator.yml | 2 +- .github/workflows/__social-post.yml | 6 +++--- .github/workflows/__update-cpm-cmake.yml | 2 +- .github/workflows/__update_license_years.yml | 2 +- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/__call-codeql.yml b/.github/workflows/__call-codeql.yml index b648de63..7aa08f39 100644 --- a/.github/workflows/__call-codeql.yml +++ b/.github/workflows/__call-codeql.yml @@ -217,7 +217,7 @@ jobs: upload: failure-only - name: filter-sarif - uses: advanced-security/filter-sarif@v1 + uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1.0.1 with: input: sarif-results/${{ matrix.language }}.sarif output: sarif-results/${{ matrix.language }}.sarif diff --git a/.github/workflows/__call-common-lint.yml b/.github/workflows/__call-common-lint.yml index 39736f58..1bbad719 100644 --- a/.github/workflows/__call-common-lint.yml +++ b/.github/workflows/__call-common-lint.yml @@ -176,7 +176,7 @@ jobs: - name: check-trailing-spaces if: always() - uses: marcopaganini/check-trailing-spaces@v2.0.0 + uses: marcopaganini/check-trailing-spaces@8cb92e10874ed9bd54d89f2848f98308242527bd # v2.0.0 - name: C++ - find files id: cpp_files @@ -224,7 +224,7 @@ jobs: - name: C++ - Clang format (diff) id: clang_format_diff if: always() && steps.cpp_files.outputs.found_files - uses: DoozyX/clang-format-lint-action@v0.20 + uses: DoozyX/clang-format-lint-action@bcb4eb2cb0d707ee4f3e5cc3b456eb075f12cf73 # v0.20 with: source: ${{ steps.cpp_files.outputs.found_files }} clangFormatVersion: '${{ env.CLANG_FORMAT_VERSION }}' @@ -470,7 +470,7 @@ jobs: - name: Setup Rust if: always() && steps.run_cargo.outputs.found_cargo == 'true' - uses: actions-rust-lang/setup-rust-toolchain@v1.15.2 + uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2 with: components: 'rustfmt' cache: false diff --git a/.github/workflows/__call-docker.yml b/.github/workflows/__call-docker.yml index 677df54e..5fb31dfb 100644 --- a/.github/workflows/__call-docker.yml +++ b/.github/workflows/__call-docker.yml @@ -229,11 +229,11 @@ jobs: } >> "${GITHUB_OUTPUT}" - name: Set Up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Cache Docker Layers uses: actions/cache@v4 @@ -245,14 +245,14 @@ jobs: - name: Log in to Docker Hub if: inputs.publish_release == 'true' # PRs do not have access to secrets - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }} - name: Log in to the Container registry if: inputs.publish_release == 'true' # PRs do not have access to secrets - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: registry: ghcr.io username: ${{ secrets.GH_BOT_NAME }} @@ -267,7 +267,7 @@ jobs: - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: ./ file: ${{ matrix.dockerfile }} @@ -336,7 +336,7 @@ jobs: sparse-checkout-cone-mode: false - name: Update Docker Hub Description - uses: peter-evans/dockerhub-description@v5 + uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa # v5.0.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_PASSWORD }} # token is not currently supported diff --git a/.github/workflows/__call-release-notifier.yml b/.github/workflows/__call-release-notifier.yml index 5715b169..8ab08ed3 100644 --- a/.github/workflows/__call-release-notifier.yml +++ b/.github/workflows/__call-release-notifier.yml @@ -118,7 +118,7 @@ jobs: if: >- steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" diff --git a/.github/workflows/__call-update-flathub-repo.yml b/.github/workflows/__call-update-flathub-repo.yml index ad2ff643..7c16dc31 100644 --- a/.github/workflows/__call-update-flathub-repo.yml +++ b/.github/workflows/__call-update-flathub-repo.yml @@ -102,7 +102,7 @@ jobs: if: >- steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "${{ github.repository }}" tag: "${{ github.event.release.tag_name }}" @@ -156,7 +156,7 @@ jobs: steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' && fromJson(steps.download.outputs.downloaded_files)[0] - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" diff --git a/.github/workflows/__call-update-homebrew-repo.yml b/.github/workflows/__call-update-homebrew-repo.yml index ca9e11fa..4cde26db 100644 --- a/.github/workflows/__call-update-homebrew-repo.yml +++ b/.github/workflows/__call-update-homebrew-repo.yml @@ -44,7 +44,7 @@ jobs: - name: Download release asset id: download if: steps.check-label.outputs.hasTopic == 'true' - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "${{ github.repository }}" tag: "${{ github.event.release.tag_name }}" diff --git a/.github/workflows/__call-update-pacman-repo.yml b/.github/workflows/__call-update-pacman-repo.yml index ac1e0ede..f38d8118 100644 --- a/.github/workflows/__call-update-pacman-repo.yml +++ b/.github/workflows/__call-update-pacman-repo.yml @@ -76,7 +76,7 @@ jobs: if: >- steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "${{ github.repository }}" tag: "${{ github.event.release.tag_name }}" @@ -99,7 +99,7 @@ jobs: steps.check-label.outputs.hasTopic == 'true' && steps.check-release.outputs.isLatestRelease == 'true' && fromJson(steps.download.outputs.downloaded_files)[0] - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>" diff --git a/.github/workflows/__call-update-winget-repo.yml b/.github/workflows/__call-update-winget-repo.yml index bc4dd69b..c400d29f 100644 --- a/.github/workflows/__call-update-winget-repo.yml +++ b/.github/workflows/__call-update-winget-repo.yml @@ -46,7 +46,7 @@ jobs: - name: Download release asset id: download if: steps.check-label.outputs.hasTopic == 'true' - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12 with: repository: "${{ github.repository }}" tag: "${{ github.event.release.tag_name }}" @@ -60,7 +60,7 @@ jobs: if: >- steps.check-label.outputs.hasTopic == 'true' && fromJson(steps.download.outputs.downloaded_files)[0] - uses: vedantmgoyal2009/winget-releaser@v2 + uses: vedantmgoyal2009/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e # v2 with: identifier: "${{ github.repository_owner }}.${{ github.event.repository.name }}" release-tag: ${{ github.event.release.tag_name }} diff --git a/.github/workflows/__cla-gist-replicator.yml b/.github/workflows/__cla-gist-replicator.yml index b346fd28..f3624734 100644 --- a/.github/workflows/__cla-gist-replicator.yml +++ b/.github/workflows/__cla-gist-replicator.yml @@ -31,7 +31,7 @@ jobs: uses: actions/checkout@v6 - name: Deploy Gist - uses: exuanbo/actions-deploy-gist@v1 + uses: exuanbo/actions-deploy-gist@47697fceaeea2006a90594ee24eb9cd0a1121ef8 # v1.1.4 with: token: ${{ secrets.GH_BOT_TOKEN }} gist_id: ${{ secrets.CLA_GIST_ID }} diff --git a/.github/workflows/__social-post.yml b/.github/workflows/__social-post.yml index d5507cd5..71af5da6 100644 --- a/.github/workflows/__social-post.yml +++ b/.github/workflows/__social-post.yml @@ -49,7 +49,7 @@ jobs: runs-on: ubuntu-latest steps: - name: discord - uses: sarisia/actions-status-discord@v1 + uses: sarisia/actions-status-discord@b8381b25576cb341b2af39926ab42c5056cc44ed # v1.15.5 with: avatar_url: ${{ vars.ORG_LOGO_URL }}256 color: 0x${{ vars.COLOR_HEX_GREEN }} @@ -81,7 +81,7 @@ jobs: runs-on: ubuntu-latest steps: - name: reddit - uses: bluwy/release-for-reddit-action@v2 + uses: bluwy/release-for-reddit-action@b4ee0e0d64da893e0428912aac5cda675082bd85 # v2 with: username: ${{ secrets.REDDIT_USERNAME }} password: ${{ secrets.REDDIT_PASSWORD }} @@ -98,7 +98,7 @@ jobs: runs-on: ubuntu-latest steps: - name: x - uses: nearform-actions/github-action-notify-twitter@v1 + uses: nearform-actions/github-action-notify-twitter@b3fa623c2f320117e8a08e20564c4ce0a5e67930 # v1.2.3 # alternative: noweh/post-tweet-v2-action@v1.0 with: message: "${{ inputs.title }}: ${{ inputs.body }}" diff --git a/.github/workflows/__update-cpm-cmake.yml b/.github/workflows/__update-cpm-cmake.yml index 8a50741c..e2125b0c 100644 --- a/.github/workflows/__update-cpm-cmake.yml +++ b/.github/workflows/__update-cpm-cmake.yml @@ -106,7 +106,7 @@ jobs: - name: Create/Update Pull Request id: create-pr - uses: peter-evans/create-pull-request@v7 + uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9 with: author: "${{ secrets.GH_BOT_NAME }} <${{ secrets.GH_BOT_EMAIL }}>" committer: "${{ secrets.GH_BOT_NAME }} <${{ secrets.GH_BOT_EMAIL }}>" diff --git a/.github/workflows/__update_license_years.yml b/.github/workflows/__update_license_years.yml index 5dbf1cd3..0f55a839 100644 --- a/.github/workflows/__update_license_years.yml +++ b/.github/workflows/__update_license_years.yml @@ -49,7 +49,7 @@ jobs: persist-credentials: false - name: Update license year - uses: FantasticFiasco/action-update-license-year@v3 + uses: FantasticFiasco/action-update-license-year@d837fc83ecb71196807bdf3854208f556e66f6ed # v3.0.3 with: commitAuthorEmail: ${{ secrets.GH_BOT_EMAIL }} commitAuthorName: ${{ secrets.GH_BOT_NAME }}