From 29e5f0b675fcdb77db7c0dbad53a6fc8f1e239ef Mon Sep 17 00:00:00 2001 From: Joshua Li Date: Mon, 23 Mar 2026 12:57:34 -0700 Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs --- .github/workflows/build.yml | 70 ++++++++++++------------- .github/workflows/changelog-preview.yml | 2 +- .github/workflows/notify-issues.yml | 2 +- .github/workflows/release.yml | 10 ++-- 4 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9150e73dd..3452a3c92 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -32,10 +32,10 @@ jobs: outputs: playwright-version: ${{ steps.playwright-version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Cache turbo build setup - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .turbo key: ${{ runner.os }}-turbo-${{ github.sha }} @@ -43,10 +43,10 @@ jobs: ${{ runner.os }}-turbo- - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: "package.json" cache: "pnpm" @@ -56,7 +56,7 @@ jobs: run: | echo "STORE_PATH=$(pnpm store path --silent | tr -d '\n\r')" >> $GITHUB_ENV - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 name: Setup pnpm cache with: path: ${{ env.STORE_PATH }} @@ -127,7 +127,7 @@ jobs: run: pnpm pack - name: Store built packages - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: built-packages if-no-files-found: error @@ -136,21 +136,21 @@ jobs: packages/spotlight/dist/ - name: Store npm package - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: npm-package if-no-files-found: error path: packages/spotlight/*.tgz - name: Store standalone spotlight binaries - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: spotlight-binaries if-no-files-found: error path: packages/spotlight/dist-bin/spotlight-* - name: Store Electron build - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: electron-build if-no-files-found: error @@ -173,10 +173,10 @@ jobs: matrix: node_version: [20, 22, 24] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Cache turbo build setup - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .turbo key: ${{ runner.os }}-turbo-${{ github.sha }} @@ -184,10 +184,10 @@ jobs: ${{ runner.os }}-turbo- - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node_version }} cache: "pnpm" @@ -206,7 +206,7 @@ jobs: - name: Upload test results to Codecov if: ${{ !cancelled() }} - uses: getsentry/codecov-action@main + uses: getsentry/codecov-action@fda17cfc37e16a0cc23f61685813390bfee7daf3 # main with: token: ${{ secrets.GITHUB_TOKEN }} post-pr-comment: true @@ -219,13 +219,13 @@ jobs: matrix: node_version: [20, 22, 24] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: ${{ matrix.node_version }} cache: "pnpm" @@ -237,7 +237,7 @@ jobs: run: rm -rf packages/spotlight/dist/ - name: Download Spotlight build - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: built-packages path: packages/spotlight/dist/ @@ -254,13 +254,13 @@ jobs: image: mcr.microsoft.com/playwright:v${{needs.build.outputs.playwright-version}}-noble options: --user 1001 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 24 cache: "pnpm" @@ -274,13 +274,13 @@ jobs: rm -rf packages/spotlight/dist-electron/ - name: Download Spotlight build - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: built-packages path: packages/spotlight/dist/ - name: Download Electron build - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: electron-build path: packages/spotlight/dist-electron/ @@ -291,7 +291,7 @@ jobs: - name: Test results if: always() - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: test-results-ui path: packages/spotlight/test-results/** @@ -305,10 +305,10 @@ jobs: env: MULTI_ARCH_BUILD: ${{ ((github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'push') && github.actor != 'dependabot[bot]') && 'true' || 'false' }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Download spotlight binaries - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: spotlight-binaries path: packages/spotlight/dist-bin/ @@ -318,20 +318,20 @@ jobs: run: mv packages/spotlight/dist-bin/spotlight-linux-x64 packages/spotlight/dist-bin/spotlight-linux-amd64 - name: Login to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Setup QEMU for cross-compilation - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3 - name: Configure Docker Context - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 - name: Build Docker Image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5 with: context: . cache-from: type=gha,scope=prod @@ -354,13 +354,13 @@ jobs: environment: Production steps: - name: Checkout Repo - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: "package.json" cache: "pnpm" @@ -369,7 +369,7 @@ jobs: run: pnpm install - name: Download Electron build - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5 with: name: electron-build path: packages/spotlight/dist-electron/ @@ -405,7 +405,7 @@ jobs: run: pnpm build:mac - name: Store Electron binaries - uses: actions/upload-artifact@v5 + uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5 with: name: electron-binaries if-no-files-found: error diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index a18c9fa76..7d116a4e4 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -15,5 +15,5 @@ permissions: jobs: changelog-preview: name: Preview Changelog - uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + uses: getsentry/craft/.github/workflows/changelog-preview.yml@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2 secrets: inherit diff --git a/.github/workflows/notify-issues.yml b/.github/workflows/notify-issues.yml index a851d4d61..61ba93249 100644 --- a/.github/workflows/notify-issues.yml +++ b/.github/workflows/notify-issues.yml @@ -35,7 +35,7 @@ jobs: && !contains(steps.get_version.outputs.version, '-beta.') && !contains(steps.get_version.outputs.version, '-alpha.') && !contains(steps.get_version.outputs.version, '-rc.') - uses: getsentry/release-comment-issues-gh-action@v1 + uses: getsentry/release-comment-issues-gh-action@52e08022ca721e701515ede89edd224b63b180eb # v1 with: github_token: ${{ secrets.GITHUB_TOKEN }} version: ${{ steps.get_version.outputs.version }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6e2f42671..306597448 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,27 +27,27 @@ jobs: steps: - name: Get auth token id: token - uses: actions/create-github-app-token@v2.2.1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0 - name: Setup pnpm - uses: pnpm/action-setup@v4 + uses: pnpm/action-setup@02f6c237bd2518259fed6c71566509edfb3f2b74 # v4 - name: Set up Node - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version-file: "package.json" cache: "pnpm" - name: Prepare release - uses: getsentry/craft@v2 + uses: getsentry/craft@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2 env: GITHUB_TOKEN: ${{ steps.token.outputs.token }} with: