From 60645042c48c363e26917258b0f26924fe5e6b55 Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 3 Apr 2026 08:10:59 +0200 Subject: [PATCH] chore: pin actions to sha (#402) --- .github/dependabot.yml | 2 ++ .github/workflows/codeql-analysis.yml | 10 ++++++---- .github/workflows/dependabot.yml | 4 ++-- .github/workflows/licensed.yml | 11 ++++++----- .github/workflows/linter.yml | 7 ++++--- .github/workflows/start.yml | 4 +++- .github/workflows/test.yml | 10 ++++++---- 7 files changed, 29 insertions(+), 19 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 48063c2..acf271d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: / schedule: interval: weekly + cooldown: + default-days: 7 groups: actions-minor: update-types: diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index fd94f34..0745f74 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -28,11 +28,13 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Initialize CodeQL id: initialize - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1 with: config-file: .github/codeql/codeql-config.yml languages: ${{ matrix.language }} @@ -40,8 +42,8 @@ jobs: - name: Autobuild id: autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1 - name: Perform CodeQL Analysis id: analyze - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1 diff --git a/.github/workflows/dependabot.yml b/.github/workflows/dependabot.yml index 5341b84..da49a22 100644 --- a/.github/workflows/dependabot.yml +++ b/.github/workflows/dependabot.yml @@ -12,12 +12,12 @@ jobs: runs-on: ubuntu-latest # Checking the actor will prevent your Action run failing on non-Dependabot # PRs but also ensures that it only does work for Dependabot PRs. - if: ${{ github.actor == 'dependabot[bot]' }} + if: github.actor == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name steps: # This first step will fail if there's no metadata and so the approval # will not occur. - id: meta - uses: dependabot/fetch-metadata@v2 + uses: dependabot/fetch-metadata@ffa630c65fa7e0ecfa0625b5ceda64399aea1b36 # v3.0.0 with: github-token: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 3cf3ef6..26d116a 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -22,11 +22,12 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v5 - + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setup Node.js id: setup-node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .node-version cache: npm @@ -37,11 +38,11 @@ jobs: - name: Setup Ruby id: setup-ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1.298.0 with: ruby-version: ruby - - uses: licensee/setup-licensed@v1.3.2 + - uses: licensee/setup-licensed@0d52e575b3258417672be0dff2f115d7db8771d8 # v1.3.2 with: version: 4.x github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml index 0f10df1..a3d8f4c 100644 --- a/.github/workflows/linter.yml +++ b/.github/workflows/linter.yml @@ -24,13 +24,14 @@ jobs: steps: - name: Checkout id: checkout - uses: actions/checkout@v5 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Setup Node.js id: setup-node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .node-version cache: npm @@ -41,7 +42,7 @@ jobs: - name: Lint Codebase id: super-linter - uses: super-linter/super-linter/slim@v8 + uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 env: DEFAULT_BRANCH: main FILTER_REGEX_EXCLUDE: dist/**/* diff --git a/.github/workflows/start.yml b/.github/workflows/start.yml index c1a21f9..7f96536 100644 --- a/.github/workflows/start.yml +++ b/.github/workflows/start.yml @@ -34,7 +34,9 @@ jobs: - version: 1.178.2 pg_major: 17 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./ with: version: ${{ matrix.version }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 44ede89..7c00b73 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,8 +17,10 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .node-version cache: npm @@ -40,7 +42,7 @@ jobs: # Upload the mismatched version as a workflow artifact. - if: ${{ failure() && steps.diff.outcome == 'failure' }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: dist path: dist/ @@ -52,7 +54,7 @@ jobs: os: [macos-latest, windows-latest, ubuntu-latest] version: [1.0.0, latest] steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: ./ with: version: ${{ matrix.version }}