From 66af32517fc11036439d191771095d40884c9ec0 Mon Sep 17 00:00:00 2001
From: Tobias Wennergren <tobias@airbyte.io>
Date: Thu, 2 Oct 2025 13:23:32 -0700
Subject: [PATCH] security: pin GitHub Actions to SHA1 for supply chain
 security

Pin all GitHub Actions to their specific SHA1 hashes to reduce the risk of supply chain attacks. This ensures that the exact version of each action is used and prevents potential malicious updates from automatically being incorporated.
---
 .github/workflows/demo-tests.yml   | 8 ++++----
 .github/workflows/publish.yml      | 4 ++--
 .github/workflows/widget-tests.yml | 8 ++++----
 3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/demo-tests.yml b/.github/workflows/demo-tests.yml
index 8f6154d..e87579e 100644
--- a/.github/workflows/demo-tests.yml
+++ b/.github/workflows/demo-tests.yml
@@ -14,11 +14,11 @@ jobs:
       run:
         working-directory: demo
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v2
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1
         with:
           version: 8
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: "pnpm"
@@ -28,7 +28,7 @@ jobs:
         run: pnpm dlx playwright install --with-deps chromium
       - name: Run Playwright tests
         run: pnpm test
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: playwright-report
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 57893d7..a14be5d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,8 +12,8 @@ jobs:
     steps:
       - name: Install PNPM
         run: npm install -g pnpm
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: "pnpm"
diff --git a/.github/workflows/widget-tests.yml b/.github/workflows/widget-tests.yml
index 7945607..6f3eed1 100644
--- a/.github/workflows/widget-tests.yml
+++ b/.github/workflows/widget-tests.yml
@@ -10,11 +10,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v2
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+      - uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2.4.1
         with:
           version: 8
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 20
           cache: "pnpm"
@@ -22,7 +22,7 @@ jobs:
         run: pnpm install
       - name: Run tests
         run: pnpm test
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: test-coverage