From 8bcc8b438146661d3e9f541b5da1b2311c032728 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Fri, 20 Feb 2026 12:24:01 +0900 Subject: [PATCH 01/14] chore: pin GitHub Actions to SHA (.github/workflows/benchmarking.yml) --- .github/workflows/benchmarking.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/benchmarking.yml b/.github/workflows/benchmarking.yml index e8cf0eb6c2..e55f087b7d 100644 --- a/.github/workflows/benchmarking.yml +++ b/.github/workflows/benchmarking.yml @@ -128,7 +128,7 @@ jobs: MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} MATCH_USERNAME: ${{ secrets.MATCH_USERNAME }} - name: Collect app metrics - uses: getsentry/action-app-sdk-overhead-metrics@v1 + uses: getsentry/action-app-sdk-overhead-metrics@c9eca50e02d180ee07a02952c062b2f3f545f735 # v1 with: config: Tests/Perf/metrics-test.yml sauce-user: ${{ secrets.SAUCE_USERNAME }} From b295e20a7521e88d971544f1f58560b17b0c56e1 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Fri, 20 Feb 2026 12:24:02 +0900 Subject: [PATCH 02/14] chore: pin GitHub Actions to SHA (.github/workflows/release.yml) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a1b4871ed..7f20c76001 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,7 +21,7 @@ jobs: fetch-depth: 0 - name: Prepare release - uses: getsentry/action-prepare-release@v1 + uses: getsentry/action-prepare-release@c8e1c2009ab08259029170132c384f03c1064c0e # v1 env: GITHUB_TOKEN: ${{ secrets.GH_RELEASE_PAT }} with: From be6302bc2227ac054fd63c089cabf8ea52bf06be Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:20:43 +0900 Subject: [PATCH 03/14] chore: add security-check workflow for SHA pinning CI --- .github/workflows/security-check.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 .github/workflows/security-check.yaml diff --git a/.github/workflows/security-check.yaml b/.github/workflows/security-check.yaml new file mode 100644 index 0000000000..9f8d344a44 --- /dev/null +++ b/.github/workflows/security-check.yaml @@ -0,0 +1,8 @@ +name: Security Check +on: + pull_request: + +jobs: + security-check: + uses: Buzzvil/workflows/.github/workflows/security-check.yaml@main + secrets: inherit From 1d03493f3933c8cb8a467d73a9563d76fccdd33a Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:19 +0900 Subject: [PATCH 04/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/benchmarking.yml) --- .github/workflows/benchmarking.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/benchmarking.yml b/.github/workflows/benchmarking.yml index e55f087b7d..acc80da50c 100644 --- a/.github/workflows/benchmarking.yml +++ b/.github/workflows/benchmarking.yml @@ -25,14 +25,14 @@ jobs: name: Build app and test runner runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - name: Install SentryCli run: brew install getsentry/tools/sentry-cli - run: git apply ./scripts/set-device-tests-environment.patch - name: Cache iOS-Swift App and dSYM build products id: ios-swift-cache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/iOS-Swift.app.dSYM @@ -40,7 +40,7 @@ jobs: key: ios-swift-for-ui-testing-cache-key-${{ hashFiles('Samples/iOS-Swift/iOS-Swift/**') }} - name: Cache iOS-Swift UI Test Runner App build product id: ios-swift-benchmark-runner-cache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/PerformanceBenchmarks-Runner.app @@ -67,7 +67,7 @@ jobs: run: | sentry-cli --auth-token ${{ secrets.SENTRY_AUTH_TOKEN }} upload-dif --org sentry-sdks --project sentry-cocoa DerivedData/Build/Products/Debug-iphoneos/iOS-Swift.app.dSYM - name: Archiving DerivedData - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: DerivedData-Xcode path: | @@ -83,8 +83,8 @@ jobs: matrix: suite: ['High-end device', 'Mid-range device', 'Low-end device'] steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 with: name: DerivedData-Xcode - run: npm install -g saucectl@0.107.2 @@ -99,9 +99,9 @@ jobs: runs-on: macos-12 steps: - name: Git checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: app-plain-cache with: path: Tests/Perf/test-app-plain.ipa From bc5d29dc96c689374503e80fc3b25bdcf3606b84 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:22 +0900 Subject: [PATCH 05/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/build.yml) --- .github/workflows/build.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 43b37d2a65..638fa3332f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,7 +22,7 @@ jobs: name: Release Build of iOS Swift runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - name: Run Fastlane @@ -49,7 +49,7 @@ jobs: - iOS13-Swift steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh # Disable code signing. We just want to make sure these compile. @@ -66,7 +66,7 @@ jobs: name: Sample watchOS runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - run: make build-for-watchos @@ -83,14 +83,14 @@ jobs: name: Build & Validate XCFramework runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: make build-xcframework shell: sh - run: make build-xcframework-sample shell: sh - name: Archiving XCFramework.zip - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: ${{ github.sha }} if-no-files-found: error @@ -102,7 +102,7 @@ jobs: name: Build & Validate Framework runs-on: macos-11 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh 12.5.1 - run: make build-framework shell: sh @@ -110,7 +110,7 @@ jobs: shell: sh - name: Archiving Framework.zip - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: ${{ github.sha }} if-no-files-found: error @@ -124,7 +124,7 @@ jobs: name: Validate Swift Package Manager runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Set SPM revision to current git commit run: >- if [[ "${{ github.event.pull_request.head.sha }}" != "" ]]; then @@ -141,7 +141,7 @@ jobs: name: Validate Swift Package Manager Dynamic runs-on: macos-11 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Set SPM revision to current git commit run: >- if [[ "${{ github.event.pull_request.head.sha }}" != "" ]]; then @@ -158,6 +158,6 @@ jobs: name: Build with Swift runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: swift build shell: sh From 668042364ef0803fbb3fa535c9a1d1b4a0fb8caf Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:24 +0900 Subject: [PATCH 06/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/codeql-analysis.yml) --- .github/workflows/codeql-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index a341b2fd63..de5648c8fc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Initialize CodeQL uses: github/codeql-action/init@18fe527fa8b29f134bb91f32f1a5dc5abb15ed7f # pin@v2 From e771fc53b6e07401b34abb6b9511c280cd4a5bb4 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:28 +0900 Subject: [PATCH 07/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/format-code.yml) --- .github/workflows/format-code.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml index ec59d10af5..74b3405f45 100644 --- a/.github/workflows/format-code.yml +++ b/.github/workflows/format-code.yml @@ -15,7 +15,7 @@ jobs: name: Format Code runs-on: macos-11 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Install Clang-Format run: brew install clang-format - name: Format Code From 740c0272c84b9fbbfa2eefdbf48166ffe0305bf7 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:30 +0900 Subject: [PATCH 08/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/integration-tests.yml) --- .github/workflows/integration-tests.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml index 6b1b59ff2f..1f78e10b9e 100644 --- a/.github/workflows/integration-tests.yml +++ b/.github/workflows/integration-tests.yml @@ -25,7 +25,7 @@ jobs: runs-on: macos-11 timeout-minutes: 15 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: 'Alamofire/Alamofire' ref: 'f82c23a8a7ef8dc1a49a8bfc6a96883e79121864' @@ -78,7 +78,7 @@ jobs: env: DEVELOPER_DIR: /Applications/Xcode_13.2.app/Contents/Developer steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: 'home-assistant/iOS' ref: '6d6606aed63a778c5a2bd64f8981823433a7f2fa' @@ -100,14 +100,14 @@ jobs: - name: Download and Apply Patch run: ./apply-patch.sh "${{ github.event.pull_request.head.sha }}" "${{ github.sha }}" add-sentry-to-homekit - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 name: 'Cache: Gems' id: cache_gems with: path: vendor/bundle key: home-assistant-integration-gems-${{ runner.os }}-${{ env.ImageVersion }}-${{ env.DEVELOPER_DIR }}-${{ hashFiles('**/Gemfile.lock') }} - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 name: 'Cache: Pods' id: cache_pods if: steps.cache_gems.outputs.cache-hit == 'true' @@ -145,7 +145,7 @@ jobs: runs-on: macos-12 timeout-minutes: 30 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: repository: 'videolan/vlc-ios' ref: '5d2b5505edc3387cad43deca14c0bd0b19e3f133' @@ -167,7 +167,7 @@ jobs: - name: Download and Apply Patch run: ./apply-patch.sh "${{ github.event.pull_request.head.sha }}" "${{ github.sha }}" add-sentry-to-vlc - - uses: actions/cache@v3 + - uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 name: 'Cache: Pods' id: cache-pods with: From 26c74ee2b449080971097c8672393000e9f8b4ae Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:33 +0900 Subject: [PATCH 09/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/lint.yml) --- .github/workflows/lint.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index c724faee5d..504f1274ac 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,7 +27,7 @@ jobs: name: Swift Lint runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Run SwiftLint run: swiftlint @@ -35,7 +35,7 @@ jobs: name: Xcode Analyze runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - run: make analyze @@ -47,7 +47,7 @@ jobs: platform: ['ios', 'macos', 'tvos', 'watchos'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - name: Validate Podspec run: pod lib lint --verbose --platforms=${{ matrix.platform }} @@ -57,5 +57,5 @@ jobs: name: No changes in high risk files runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/no-changes-in-high-risk-files.sh From 9930887d3b797030a3859791097fc73101f27e47 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:35 +0900 Subject: [PATCH 10/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/profile-data-generator.yml) --- .github/workflows/profile-data-generator.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/profile-data-generator.yml b/.github/workflows/profile-data-generator.yml index 6e3f1c585c..dedae38181 100644 --- a/.github/workflows/profile-data-generator.yml +++ b/.github/workflows/profile-data-generator.yml @@ -10,13 +10,13 @@ jobs: name: Build app and test runner runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh 13.4.1 - name: Install SentryCli run: brew install getsentry/tools/sentry-cli - name: Cache Carthage dependencies id: trendingmovies-carthage-cache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ./Samples/TrendingMovies/Carthage/Build key: trendingmovies-carthage-cache-key-${{ hashFiles('Samples/TrendingMovies/Cartfile.resolved') }} @@ -25,7 +25,7 @@ jobs: run: cd Samples/TrendingMovies && carthage update --use-xcframeworks - name: Cache TrendingMovies App and dSYM build products id: cache-trending-movies-app - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/TrendingMovies.app @@ -33,7 +33,7 @@ jobs: key: trendingmovies-app-cache-key-${{ hashFiles('Samples/TrendingMovies/TrendingMovies/**') }} - name: Cache ProfileDataGenerator UI Test Runner App build product id: cache-profiledatagenerator-test-runner-app - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/ProfileDataGeneratorUITest-Runner.app @@ -62,7 +62,7 @@ jobs: run: | sentry-cli --auth-token ${{ secrets.SENTRY_AUTH_TOKEN }} upload-dif --org sentry-sdks --project trending-movies DerivedData/Build/Products/Debug-iphoneos/TrendingMovies.app.dSYM - name: Archiving DerivedData - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: data-generator-build-products path: | @@ -79,8 +79,8 @@ jobs: matrix: suite: ['High-end device', 'Mid-range device'] steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 with: name: data-generator-build-products - run: npm install -g saucectl@0.107.2 From d73a54ab76d5ddcd472cf83ffa4ccc2b514e7dee Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:38 +0900 Subject: [PATCH 11/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/release.yml) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f20c76001..8d101a1aed 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: name: 'Release a new version' steps: - name: Check out current commit (${{ github.sha }}) - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 with: token: ${{ secrets.GH_RELEASE_PAT }} fetch-depth: 0 From 6c57dff3840aeb99203a93b16fbea6091acfd43c Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:40 +0900 Subject: [PATCH 12/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/saucelabs-UI-tests.yml) --- .github/workflows/saucelabs-UI-tests.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/saucelabs-UI-tests.yml b/.github/workflows/saucelabs-UI-tests.yml index ab6d2ed9d1..6846fade84 100644 --- a/.github/workflows/saucelabs-UI-tests.yml +++ b/.github/workflows/saucelabs-UI-tests.yml @@ -32,14 +32,14 @@ jobs: xcode: '13.4.1' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh ${{matrix.xcode}} - name: Install SentryCli run: brew install getsentry/tools/sentry-cli - run: git apply ./scripts/set-device-tests-environment.patch - name: Cache iOS-Swift App and dSYM build products id: ios-swift-cache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/iOS-Swift.app.dSYM @@ -47,7 +47,7 @@ jobs: key: ios-swift-for-ui-testing-cache-key-${{ hashFiles('Samples/iOS-Swift/iOS-Swift/**') }}-Xcode-${{ matrix.xcode }} - name: Cache iOS-Swift UI Test Runner App build product id: ios-swift-uitest-runner-cache - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: | DerivedData/Build/Products/Debug-iphoneos/iOS-SwiftUITests-Runner.app @@ -74,7 +74,7 @@ jobs: run: | sentry-cli --auth-token ${{ secrets.SENTRY_AUTH_TOKEN }} upload-dif --org sentry-sdks --project sentry-cocoa DerivedData/Build/Products/Debug-iphoneos/iOS-Swift.app.dSYM - name: Archiving DerivedData - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: DerivedData-Xcode-${{matrix.xcode}} path: | @@ -108,9 +108,9 @@ jobs: suite: 'iOS-10' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - - uses: actions/download-artifact@v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 with: name: DerivedData-Xcode-${{matrix.xcode}} From 94ea8f16344a7679622425be173100d8e65d2dc4 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:42 +0900 Subject: [PATCH 13/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/test.yml) --- .github/workflows/test.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index d4f23a1114..93bb245445 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -22,10 +22,10 @@ jobs: name: Build test server runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Cache for Test Server id: cache_test_server - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 with: path: ./test-server/.build key: test-server-${{ hashFiles('./test-server') }} @@ -44,7 +44,7 @@ jobs: run: cp $(swift build --show-bin-path -c release)/Run test-server-exec - name: Archiving DerivedData - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: test-server path: | @@ -127,8 +127,8 @@ jobs: test-destination-os: 'latest' steps: - - uses: actions/checkout@v3 - - uses: actions/download-artifact@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3 with: name: test-server - name: Allow test-server to run @@ -161,7 +161,7 @@ jobs: run: ./scripts/xcode-test.sh ${{matrix.platform}} ${{matrix.test-destination-os}} ${{matrix.xcode}} $GITHUB_REF_NAME - name: Archiving DerivedData Logs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 if: failure() with: name: derived-data-${{matrix.platform}}-xcode-${{matrix.xcode}}-os-${{matrix.test-destination-os}} @@ -169,7 +169,7 @@ jobs: /Users/runner/Library/Developer/Xcode/DerivedData/**/Logs/** - name: Archiving Raw Test Logs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 if: ${{ failure() || cancelled() }} with: name: raw-test-output-${{matrix.platform}}-xcode-${{matrix.xcode}}-os-${{matrix.test-destination-os}} @@ -195,10 +195,10 @@ jobs: timeout-minutes: 20 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Cache for Test Server - uses: actions/cache@v3 + uses: actions/cache@6f8efc29b200d32929f49075959781ed54ec270c # v3 id: cache_test_server with: path: ./test-server/.build @@ -218,7 +218,7 @@ jobs: run: ./scripts/tests-with-thread-sanitizer.sh - name: Archiving Test Logs - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: path: thread-sanitizer.log @@ -230,7 +230,7 @@ jobs: target: ['ios_swift', 'ios_objc', 'tvos_swift'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh # GitHub Actions sometimes fail to launch the UI tests. Therefore we retry @@ -255,7 +255,7 @@ jobs: device: 'iPhone 8 (14.5)' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh ${{matrix.xcode}} # GitHub Actions sometimes fail to launch the UI tests. Therefore we retry @@ -272,7 +272,7 @@ jobs: target: ['ios_swift', 'ios_objc', 'tvos_swift'] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 # GH action images don't have an iOS 12.4 simulator. Therefore we have to download and install the simulator manually. - name: Install iOS 12.4 simulator @@ -291,7 +291,7 @@ jobs: runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh 13.4.1 # GitHub Actions sometimes fail to launch the UI tests. Therefore we retry From 3a25d30cc332f2a073917a618968b0b03ac444c8 Mon Sep 17 00:00:00 2001 From: "luis.hong" Date: Mon, 23 Feb 2026 18:58:44 +0900 Subject: [PATCH 14/14] chore: pin OFFICIAL, VERIFIED_CLOUD actions to SHA (.github/workflows/testflight.yml) --- .github/workflows/testflight.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/testflight.yml b/.github/workflows/testflight.yml index 1286444307..b464b65836 100644 --- a/.github/workflows/testflight.yml +++ b/.github/workflows/testflight.yml @@ -15,7 +15,7 @@ jobs: name: Build and Upload iOS-Swift to Testflight runs-on: macos-12 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - run: ./scripts/ci-select-xcode.sh - run: bundle install @@ -45,7 +45,7 @@ jobs: bundle exec fastlane ios_swift_to_testflight - name: Archiving - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@ff15f0306b3f739f7b6fd43fb5d26cd321bd4de5 # v3 with: name: dSYMs path: |