Pin exact versions of GitHub Actions

mudge · mudge · commit 401af9d97686 · 2025-11-25T15:26:24.000Z
To avoid supply chain attacks, pin GitHub Actions by the exact commit
SHA rather than the tag.
diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml
@@ -18,30 +18,35 @@ jobs:
       name: ${{ inputs.environment }}
       url: ${{ inputs.url }}
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548
         with:
           python-version: 3.9
       - name: Install Python dependencies
-        uses: py-actions/py-dependency-install@v4
+        uses: py-actions/py-dependency-install@30aa0023464ed4b5b116bd9fbdab87acf01a484e
       - name: Install Python libs
         run: pip3 install -r ./requirements.txt
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71
         with:
           ruby-version: 3.2
           bundler-cache: true
-      - uses: seanmiddleditch/gha-setup-ninja@v6
+      - uses: seanmiddleditch/gha-setup-ninja@3b1f8f94a2f8254bd26914c4ab9474d4f0015f67
         with:
           version: 1.10.2
       - name: Install arm-none-eabi-gcc GNU Arm Embedded Toolchain
         if: ${{ inputs.deploy }}
-        uses: carlosperate/arm-none-eabi-gcc-action@v1.11.0
+        uses: carlosperate/arm-none-eabi-gcc-action@8fef7ef8d847a80ae13af8dc08690d1dda844874
       - name: Install Doxygen
         if: ${{ inputs.deploy }}
         run: |
           wget https://www.doxygen.nl/files/doxygen-1.10.0.linux.bin.tar.gz
-          tar xf doxygen-1.10.0.linux.bin.tar.gz -C "$HOME"
-          echo "$HOME/doxygen-1.10.0/bin" >> $GITHUB_PATH
+          if echo 'dcfc9aa4cc05aef1f0407817612ad9e9201d9bf2ce67cecf95a024bba7d39747  doxygen-1.10.0.linux.bin.tar.gz' | sha256sum --check --status
+          then
+            tar xf doxygen-1.10.0.linux.bin.tar.gz -C "$HOME"
+            echo "$HOME/doxygen-1.10.0/bin" >> $GITHUB_PATH
+          fi
       - name: Build Doxygen documentation
         if: ${{ inputs.deploy }}
         run: make build_doxygen_adoc
diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml
@@ -10,7 +10,7 @@ jobs:
   mirror:
     runs-on: [self-hosted, web]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3
         with:
           ref: master
           token: ${{ secrets.DOCUMENTATION_REPO_TOKEN }}
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -13,7 +13,7 @@ jobs:
       pull-requests: write
 
     steps:
-    - uses: actions/stale@v10
+    - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'
