Skip to content

Commit 712525b

Browse files
Copilotjkowalleck
Copilot
and
jkowalleck
authored
chore(ci): Pin GitHub Actions to immutable commit SHAs while preserving Dependabot tag tracking (#1427)
### Description Pin all GitHub Action `uses:` references in `.github/workflows/nodejs.yml` and `.github/workflows/release.yml` from mutable major tags (e.g. `@v6`) to immutable 40-char commit SHAs. The original major tag is preserved as an inline comment (e.g. `# v6`) so that Dependabot can continue to detect upstream releases and propose version-bump pull requests. Affected actions: - `actions/checkout` (`v6`) - `actions/setup-node` (`v6`) - `actions/upload-artifact` (`v6`) - `actions/download-artifact` (`v7`) - `softprops/action-gh-release` (`v2`) - `DerLev/eslint-annotations` (`v2`) - `codacy/codacy-coverage-reporter-action` (`v1`) Resolves or fixes issue: #1426 ### AI Tool Disclosure - [ ] My contribution does not include any AI-generated content - [x] My contribution includes AI-generated content, as disclosed below: - AI Tools: `GitHub Copilot (coding agent)` - LLMs and versions: `Claude Sonnet 4.5` - Prompts: `Pin GitHub Actions to immutable commit SHAs while keeping tags visible for Dependabot` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md) guidelines --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
1 parent 3674388 commit 712525b

2 files changed

Lines changed: 41 additions & 41 deletions

File tree

.github/workflows/nodejs.yml

Lines changed: 34 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -41,10 +41,10 @@ jobs:
4141
steps:
4242
- name: Checkout
4343
# see https://github.com/actions/checkout
44-
uses: actions/checkout@v6
44+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4545
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
4646
# see https://github.com/actions/setup-node
47-
uses: actions/setup-node@v6
47+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
4848
with:
4949
node-version: ${{ env.NODE_ACTIVE_LTS }}
5050
package-manager-cache: false
@@ -54,7 +54,7 @@ jobs:
5454
run: npm run build:${{ matrix.target }}
5555
- name: artifact build result
5656
# see https://github.com/actions/upload-artifact
57-
uses: actions/upload-artifact@v6
57+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
5858
with:
5959
name: dist.${{ matrix.target }}
6060
path: dist.${{ matrix.target }}
@@ -67,10 +67,10 @@ jobs:
6767
steps:
6868
- name: Checkout
6969
# see https://github.com/actions/checkout
70-
uses: actions/checkout@v6
70+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
7171
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
7272
# see https://github.com/actions/setup-node
73-
uses: actions/setup-node@v6
73+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
7474
with:
7575
node-version: ${{ env.NODE_ACTIVE_LTS }}
7676
package-manager-cache: false
@@ -87,16 +87,16 @@ jobs:
8787
steps:
8888
- name: Checkout
8989
# see https://github.com/actions/checkout
90-
uses: actions/checkout@v6
90+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
9191
- name: fetch build artifact
9292
# see https://github.com/actions/download-artifact
93-
uses: actions/download-artifact@v7
93+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
9494
with:
9595
name: dist.d
9696
path: dist.d
9797
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
9898
# see https://github.com/actions/setup-node
99-
uses: actions/setup-node@v6
99+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
100100
with:
101101
node-version: ${{ env.NODE_ACTIVE_LTS }}
102102
package-manager-cache: false
@@ -123,12 +123,12 @@ jobs:
123123
- name: Annotate Code
124124
if: ${{ failure() || success() }}
125125
# see https://github.com/DerLev/eslint-annotations
126-
uses: DerLev/eslint-annotations@v2
126+
uses: DerLev/eslint-annotations@a79ea65c1b45a649c48bcc6efc0103b6fd2e4c5f # v2
127127
with:
128128
eslint-report: ${{ env.REPORTS_DIR }}/eslint.json
129129
- name: artifact eslint result
130130
# see https://github.com/actions/upload-artifact
131-
uses: actions/upload-artifact@v6
131+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
132132
if: ${{ failure() }}
133133
with:
134134
name: ${{ env.STANDARD_REPORTS_ARTIFACT }}
@@ -142,10 +142,10 @@ jobs:
142142
steps:
143143
- name: Checkout
144144
# see https://github.com/actions/checkout
145-
uses: actions/checkout@v6
145+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
146146
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
147147
# see https://github.com/actions/setup-node
148-
uses: actions/setup-node@v6
148+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
149149
with:
150150
node-version: ${{ env.NODE_ACTIVE_LTS }}
151151
package-manager-cache: false
@@ -189,10 +189,10 @@ jobs:
189189
steps:
190190
- name: Checkout
191191
# see https://github.com/actions/checkout
192-
uses: actions/checkout@v6
192+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
193193
- name: Setup Node.js ${{ matrix.node-version }}
194194
# see https://github.com/actions/setup-node
195-
uses: actions/setup-node@v6
195+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
196196
with:
197197
node-version: ${{ matrix.node-version }}
198198
package-manager-cache: false
@@ -230,7 +230,7 @@ jobs:
230230
echo "::endgroup::"
231231
- name: fetch build artifact
232232
# see https://github.com/actions/download-artifact
233-
uses: actions/download-artifact@v7
233+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
234234
with:
235235
name: dist.node
236236
path: dist.node
@@ -248,7 +248,7 @@ jobs:
248248
- name: artifact test reports
249249
if: ${{ ! cancelled() }}
250250
# see https://github.com/actions/upload-artifact
251-
uses: actions/upload-artifact@v6
251+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
252252
with:
253253
name: '${{ env.TESTS_REPORTS_ARTIFACT }}_regular_${{ matrix.os }}_node${{ matrix.node-version }}'
254254
path: ${{ env.REPORTS_DIR }}
@@ -262,10 +262,10 @@ jobs:
262262
steps:
263263
- name: Checkout
264264
# see https://github.com/actions/checkout
265-
uses: actions/checkout@v6
265+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
266266
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
267267
# see https://github.com/actions/setup-node
268-
uses: actions/setup-node@v6
268+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
269269
with:
270270
node-version: ${{ env.NODE_ACTIVE_LTS }}
271271
package-manager-cache: false
@@ -282,7 +282,7 @@ jobs:
282282
echo "::endgroup::"
283283
- name: fetch build artifact
284284
# see https://github.com/actions/download-artifact
285-
uses: actions/download-artifact@v7
285+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
286286
with:
287287
name: dist.node
288288
path: dist.node
@@ -297,7 +297,7 @@ jobs:
297297
- name: artifact test reports
298298
if: ${{ ! cancelled() }}
299299
# see https://github.com/actions/upload-artifact
300-
uses: actions/upload-artifact@v6
300+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
301301
with:
302302
name: '${{ env.TESTS_REPORTS_ARTIFACT }}_no-opt_${{ matrix.os }}_node${{ matrix.node-version }}'
303303
path: ${{ env.REPORTS_DIR }}
@@ -312,7 +312,7 @@ jobs:
312312
steps:
313313
- name: fetch test artifacts
314314
# see https://github.com/actions/download-artifact
315-
uses: actions/download-artifact@v7
315+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
316316
with:
317317
pattern: '${{ env.TESTS_REPORTS_ARTIFACT }}_*'
318318
merge-multiple: true
@@ -323,7 +323,7 @@ jobs:
323323
## see https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-using-secrets
324324
if: ${{ env.CODACY_PROJECT_TOKEN != '' }}
325325
# see https://github.com/codacy/codacy-coverage-reporter-action
326-
uses: codacy/codacy-coverage-reporter-action@v1
326+
uses: codacy/codacy-coverage-reporter-action@89d6c85cfafaec52c72b6c5e8b2878d33104c699 # v1
327327
with:
328328
project-token: ${{ env.CODACY_PROJECT_TOKEN }}
329329
coverage-reports: ${{ env.REPORTS_DIR }}/coverage/*/*
@@ -341,16 +341,16 @@ jobs:
341341
steps:
342342
- name: Checkout
343343
# see https://github.com/actions/checkout
344-
uses: actions/checkout@v6
344+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
345345
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
346346
# see https://github.com/actions/setup-node
347-
uses: actions/setup-node@v6
347+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
348348
with:
349349
node-version: ${{ env.NODE_ACTIVE_LTS }}
350350
package-manager-cache: false
351351
- name: fetch build artifact 'node'
352352
# see https://github.com/actions/download-artifact
353-
uses: actions/download-artifact@v7
353+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
354354
with:
355355
name: dist.node
356356
path: dist.node
@@ -393,22 +393,22 @@ jobs:
393393
steps:
394394
- name: Checkout
395395
# see https://github.com/actions/checkout
396-
uses: actions/checkout@v6
396+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
397397
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
398398
# see https://github.com/actions/setup-node
399-
uses: actions/setup-node@v6
399+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
400400
with:
401401
node-version: ${{ env.NODE_ACTIVE_LTS }}
402402
package-manager-cache: false
403403
- name: fetch build artifact 'd'
404404
# see https://github.com/actions/download-artifact
405-
uses: actions/download-artifact@v7
405+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
406406
with:
407407
name: dist.d
408408
path: dist.d
409409
- name: fetch build artifact 'node'
410410
# see https://github.com/actions/download-artifact
411-
uses: actions/download-artifact@v7
411+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
412412
with:
413413
name: dist.node
414414
path: dist.node
@@ -454,16 +454,16 @@ jobs:
454454
steps:
455455
- name: Checkout
456456
# see https://github.com/actions/checkout
457-
uses: actions/checkout@v6
457+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
458458
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
459459
# see https://github.com/actions/setup-node
460-
uses: actions/setup-node@v6
460+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
461461
with:
462462
node-version: ${{ env.NODE_ACTIVE_LTS }}
463463
package-manager-cache: false
464464
- name: fetch build artifact 'node'
465465
# see https://github.com/actions/download-artifact
466-
uses: actions/download-artifact@v7
466+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
467467
with:
468468
name: dist.web
469469
path: dist.web
@@ -489,10 +489,10 @@ jobs:
489489
steps:
490490
- name: Checkout
491491
# see https://github.com/actions/checkout
492-
uses: actions/checkout@v6
492+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
493493
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
494494
# see https://github.com/actions/setup-node
495-
uses: actions/setup-node@v6
495+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
496496
with:
497497
node-version: ${{ env.NODE_ACTIVE_LTS }}
498498
package-manager-cache: false

.github/workflows/release.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ jobs:
5151
steps:
5252
- name: Checkout code
5353
# see https://github.com/actions/checkout
54-
uses: actions/checkout@v6
54+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
5555
- name: Configure Git
5656
# needed for push back of changes
5757
run: |
@@ -60,7 +60,7 @@ jobs:
6060
git config --local user.name "${GITHUB_ACTOR}"
6161
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
6262
# see https://github.com/actions/setup-node
63-
uses: actions/setup-node@v6
63+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
6464
with:
6565
node-version: ${{ env.NODE_ACTIVE_LTS }}
6666
package-manager-cache: false
@@ -97,12 +97,12 @@ jobs:
9797
steps:
9898
- name: Checkout code
9999
# see https://github.com/actions/checkout
100-
uses: actions/checkout@v6
100+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
101101
with:
102102
ref: ${{ needs.bump.outputs.version }}
103103
- name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
104104
# see https://github.com/actions/setup-node
105-
uses: actions/setup-node@v6
105+
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
106106
with:
107107
node-version: ${{ env.NODE_ACTIVE_LTS }}
108108
package-manager-cache: false
@@ -144,7 +144,7 @@ jobs:
144144
npm pack --pack-destination "$PACKED_DIR"
145145
- name: artifact release result
146146
# see https://github.com/actions/upload-artifact
147-
uses: actions/upload-artifact@v6
147+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
148148
with:
149149
name: ${{ env.PACKED_ARTIFACT }}
150150
path: ${{ env.PACKED_DIR }}/
@@ -164,14 +164,14 @@ jobs:
164164
steps:
165165
- name: fetch release result
166166
# see https://github.com/actions/download-artifact
167-
uses: actions/download-artifact@v7
167+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
168168
with:
169169
name: ${{ env.PACKED_ARTIFACT }}
170170
path: ${{ env.ASSETS_DIR }}
171171
- name: Create Release
172172
id: release
173173
# see https://github.com/softprops/action-gh-release
174-
uses: softprops/action-gh-release@v2
174+
uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
175175
env:
176176
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
177177
with:

0 commit comments

Comments
 (0)