From b99023662a73f693efbefee9b20324ef17b3841c Mon Sep 17 00:00:00 2001 From: Andrew Morgan Date: Tue, 5 May 2026 12:32:07 +0100 Subject: [PATCH] Pin versions of github actions using `zizmor` To eliminate risk of supply chain attacks. --- .github/actions/build-frontend/action.yml | 2 +- .github/actions/build-policies/action.yml | 2 +- .github/workflows/build.yaml | 54 ++++++++++---------- .github/workflows/ci.yaml | 48 ++++++++--------- .github/workflows/coverage.yaml | 16 +++--- .github/workflows/docs.yaml | 12 ++--- .github/workflows/merge-back.yaml | 4 +- .github/workflows/release-branch.yaml | 10 ++-- .github/workflows/release-bump.yaml | 6 +-- .github/workflows/tag.yaml | 6 +-- .github/workflows/translations-download.yaml | 6 +-- .github/workflows/translations-upload.yaml | 4 +- 12 files changed, 85 insertions(+), 85 deletions(-) diff --git a/.github/actions/build-frontend/action.yml b/.github/actions/build-frontend/action.yml index 08e2cf6f0..a8f101950 100644 --- a/.github/actions/build-frontend/action.yml +++ b/.github/actions/build-frontend/action.yml @@ -10,7 +10,7 @@ runs: using: composite steps: - name: Install Node - uses: actions/setup-node@v6.0.0 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 with: node-version: "24" diff --git a/.github/actions/build-policies/action.yml b/.github/actions/build-policies/action.yml index 6264047ef..b792393ff 100644 --- a/.github/actions/build-policies/action.yml +++ b/.github/actions/build-policies/action.yml @@ -10,7 +10,7 @@ runs: using: composite steps: - name: Install Open Policy Agent - uses: open-policy-agent/setup-opa@v2.2.0 + uses: open-policy-agent/setup-opa@34a30e8a924d1b03ce2cf7abe97250bbb1f332b5 # v2.2.0 with: # Keep in sync with the Dockerfile and policies/Makefile version: 1.13.1 diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ee7ad2a8b..3d1e6d315 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -46,7 +46,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: # Need a full clone so that `git describe` reports the right version fetch-depth: 0 @@ -67,7 +67,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/build-frontend - uses: ./.github/actions/build-policies @@ -84,7 +84,7 @@ jobs: chmod -R u=rwX,go=rX assets-dist/ - name: Upload assets - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: assets path: assets-dist @@ -112,7 +112,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -121,15 +121,15 @@ jobs: ${{ matrix.target }} - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install zig - uses: goto-bus-stop/setup-zig@v2 + uses: goto-bus-stop/setup-zig@abea47f85e598557f500fa1fd2ab7464fcb39406 # v2 with: version: 0.13.0 - name: Install cargo-zigbuild - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: cargo-zigbuild @@ -143,7 +143,7 @@ jobs: -p mas-cli - name: Upload binary artifact - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: binary-${{ matrix.target }} path: target/${{ matrix.target }}/release/mas-cli @@ -162,19 +162,19 @@ jobs: steps: - name: Download assets - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: assets path: assets-dist - name: Download binary x86_64 - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: binary-x86_64-unknown-linux-gnu path: binary-x86_64 - name: Download binary aarch64 - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: binary-aarch64-unknown-linux-gnu path: binary-aarch64 @@ -192,13 +192,13 @@ jobs: done - name: Upload aarch64 archive - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: mas-cli-aarch64-linux path: mas-cli-aarch64-linux.tar.gz - name: Upload x86_64 archive - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: mas-cli-x86_64-linux path: mas-cli-x86_64-linux.tar.gz @@ -226,7 +226,7 @@ jobs: steps: - name: Docker meta id: meta - uses: docker/metadata-action@v6.0.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: "${{ env.IMAGE }}" bake-target: docker-metadata-action @@ -242,7 +242,7 @@ jobs: - name: Docker meta (debug variant) id: meta-debug - uses: docker/metadata-action@v6.0.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: "${{ env.IMAGE }}" bake-target: docker-metadata-action-debug @@ -258,17 +258,17 @@ jobs: type=sha - name: Setup Cosign - uses: sigstore/cosign-installer@v4.1.1 + uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: buildkitd-config-inline: | [registry."docker.io"] mirrors = ["mirror.gcr.io"] - name: Login to GitHub Container Registry - uses: docker/login-action@v4.1.0 + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -276,7 +276,7 @@ jobs: - name: Build and push id: bake - uses: docker/bake-action@v7.1.0 + uses: docker/bake-action@a66e1c87e2eca0503c343edf1d208c716d54b8a8 # v7.1.0 with: files: | ./docker-bake.hcl @@ -320,14 +320,14 @@ jobs: - build-image steps: - name: Download the artifacts from the previous job - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: mas-cli-* path: artifacts merge-multiple: true - name: Prepare a release - uses: softprops/action-gh-release@v2.6.1 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: generate_release_notes: true body: | @@ -376,27 +376,27 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts - name: Download the artifacts from the previous job - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: pattern: mas-cli-* path: artifacts merge-multiple: true - name: Update unstable git tag - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | const script = require('./.github/scripts/update-unstable-tag.cjs'); await script({ core, github, context }); - name: Update unstable release - uses: softprops/action-gh-release@v2.6.1 + uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 with: name: "Unstable build" tag_name: unstable @@ -454,13 +454,13 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts - name: Remove label and comment - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: BUILD_IMAGE_MANIFEST: ${{ needs.build-image.outputs.metadata }} with: diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ee352baa3..ca2ed7645 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -34,12 +34,12 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/build-policies - name: Setup Regal - uses: StyraInc/setup-regal@v1 + uses: StyraInc/setup-regal@33a142b1189004e0f14bf42b15972c67eecce776 # v1 with: # Keep in sync with policies/Makefile version: 0.38.1 @@ -61,10 +61,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -85,10 +85,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -109,10 +109,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -133,7 +133,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@nightly @@ -156,10 +156,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Run `cargo-deny` - uses: EmbarkStudios/cargo-deny-action@v2.0.16 + uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16 with: rust-version: stable @@ -172,7 +172,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain run: | @@ -180,7 +180,7 @@ jobs: rustup default stable - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - uses: ./.github/actions/build-frontend @@ -213,17 +213,17 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain - uses: dtolnay/rust-toolchain@1.93.0 + uses: dtolnay/rust-toolchain@b1b44fef029483cc79808c5eb89461241fd8f32f # 1.93.0 with: components: clippy - uses: ./.github/actions/build-policies - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Run clippy run: | @@ -238,18 +238,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Install nextest - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: cargo-nextest - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Build and archive tests run: cargo nextest archive --workspace --archive-file nextest-archive.tar.zst @@ -257,7 +257,7 @@ jobs: SQLX_OFFLINE: "1" - name: Upload archive to workflow - uses: actions/upload-artifact@v7.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: nextest-archive path: nextest-archive.tar.zst @@ -291,13 +291,13 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Install nextest - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: cargo-nextest @@ -305,7 +305,7 @@ jobs: - uses: ./.github/actions/build-policies - name: Download archive - uses: actions/download-artifact@v8 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8 with: name: nextest-archive @@ -333,6 +333,6 @@ jobs: runs-on: ubuntu-24.04 steps: - - uses: matrix-org/done-action@v3 + - uses: matrix-org/done-action@3409aa904e8a2aaf2220f09bc954d3d0b0a2ee67 # v3 with: needs: ${{ toJSON(needs) }} diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml index 355bbfe5d..d35ab9d0c 100644 --- a/.github/workflows/coverage.yaml +++ b/.github/workflows/coverage.yaml @@ -29,7 +29,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/build-policies @@ -38,7 +38,7 @@ jobs: run: make coverage - name: Upload to codecov.io - uses: codecov/codecov-action@v6.0.0 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: policies/coverage.json @@ -54,7 +54,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - uses: ./.github/actions/build-frontend env: @@ -65,7 +65,7 @@ jobs: run: npm run coverage - name: Upload to codecov.io - uses: codecov/codecov-action@v6.0.0 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: token: ${{ secrets.CODECOV_TOKEN }} directory: frontend/coverage/ @@ -99,7 +99,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -107,10 +107,10 @@ jobs: components: llvm-tools-preview - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install grcov - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: grcov @@ -132,7 +132,7 @@ jobs: grcov . --binary-path ./target/debug/deps/ -s . -t lcov --branch --ignore-not-existing --ignore '../*' --ignore "/*" -o target/coverage/tests.lcov - name: Upload to codecov.io - uses: codecov/codecov-action@v6.0.0 + uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 with: token: ${{ secrets.CODECOV_TOKEN }} files: target/coverage/*.lcov diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml index 1339f99c4..94601caf6 100644 --- a/.github/workflows/docs.yaml +++ b/.github/workflows/docs.yaml @@ -25,21 +25,21 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable - name: Setup sccache - uses: mozilla-actions/sccache-action@v0.0.9 + uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9 - name: Install mdbook - uses: taiki-e/install-action@v2 + uses: taiki-e/install-action@7ea35f098a7369cd23488403f58be9c491a6c55f # v2 with: tool: mdbook - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -53,7 +53,7 @@ jobs: done - name: Upload GitHub Pages artifacts - uses: actions/upload-pages-artifact@v4.0.0 + uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4.0.0 with: path: target/book/ @@ -74,4 +74,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v5.0.0 + uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5.0.0 diff --git a/.github/workflows/merge-back.yaml b/.github/workflows/merge-back.yaml index 8239442fc..82162c78e 100644 --- a/.github/workflows/merge-back.yaml +++ b/.github/workflows/merge-back.yaml @@ -24,13 +24,13 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts - name: Push branch and open a PR - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: SHA: ${{ inputs.sha }} with: diff --git a/.github/workflows/release-branch.yaml b/.github/workflows/release-branch.yaml index f0843f717..f81bbd392 100644 --- a/.github/workflows/release-branch.yaml +++ b/.github/workflows/release-branch.yaml @@ -34,7 +34,7 @@ jobs: run: exit 1 - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -61,10 +61,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -106,13 +106,13 @@ jobs: needs: [tag, compute-version, localazy] steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts - name: Create a new release branch - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: BRANCH: release/v${{ needs.compute-version.outputs.short }} SHA: ${{ needs.tag.outputs.sha }} diff --git a/.github/workflows/release-bump.yaml b/.github/workflows/release-bump.yaml index a2a20791a..75f52a451 100644 --- a/.github/workflows/release-bump.yaml +++ b/.github/workflows/release-bump.yaml @@ -33,7 +33,7 @@ jobs: run: exit 1 - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -76,13 +76,13 @@ jobs: needs: [tag, compute-version] steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: sparse-checkout: | .github/scripts - name: Update the release branch - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: BRANCH: "${{ github.ref_name }}" SHA: ${{ needs.tag.outputs.sha }} diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index c6c394c81..13d543d7c 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -30,7 +30,7 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable @@ -46,7 +46,7 @@ jobs: run: cargo metadata --format-version 1 - name: Commit and tag using the GitHub API - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 id: commit env: VERSION: ${{ inputs.version }} @@ -58,7 +58,7 @@ jobs: return await script({ core, github, context }); - name: Update the refs - uses: actions/github-script@v8.0.0 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: VERSION: ${{ inputs.version }} TAG_SHA: ${{ fromJSON(steps.commit.outputs.result).tag }} diff --git a/.github/workflows/translations-download.yaml b/.github/workflows/translations-download.yaml index 586d833da..eedea35c4 100644 --- a/.github/workflows/translations-download.yaml +++ b/.github/workflows/translations-download.yaml @@ -19,10 +19,10 @@ jobs: run: exit 1 - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24 @@ -42,7 +42,7 @@ jobs: - name: Create Pull Request id: cpr - uses: peter-evans/create-pull-request@v8.1.0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: sign-commits: true token: ${{ secrets.BOT_GITHUB_TOKEN }} diff --git a/.github/workflows/translations-upload.yaml b/.github/workflows/translations-upload.yaml index 392cec1ef..de0eb7477 100644 --- a/.github/workflows/translations-upload.yaml +++ b/.github/workflows/translations-upload.yaml @@ -18,10 +18,10 @@ jobs: steps: - name: Checkout the code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install Node - uses: actions/setup-node@v6.3.0 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: 24