chore: pin GitHub Actions to immutable commit SHAs (#908)

jkowalleck · web-flow · commit 6bd0b0a11eb9 · 2026-04-16T13:00:55.000+02:00
As discussed in issue #907, this PR pins all GitHub Actions `uses:` references from mutable version tags to exact commit SHAs, while retaining the tag in a trailing comment so Dependabot can still detect upstream changes and propose updates via pull requests. fixes #907
diff --git a/.github/workflows/build_docs.yml b/.github/workflows/build_docs.yml
@@ -21,10 +21,10 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '21'
         distribution: 'zulu'
@@ -33,7 +33,7 @@ jobs:
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: XML-Schema-documentation
         path: docgen/xml/docs
@@ -46,18 +46,18 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Setup Python Environment
       # see https://github.com/actions/setup-python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ env.PYTHON_VERSION_DEFAULT }}
         architecture: 'x64'
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: JSON-Schema-documentation
         path: docgen/json/docs
@@ -70,12 +70,12 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation
       # https://github.com/actions/upload-artifact
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: PROTO-Schema-documentation
         path: docgen/proto/docs
diff --git a/.github/workflows/bundle_2.0_schemas.yml b/.github/workflows/bundle_2.0_schemas.yml
@@ -19,12 +19,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '20'
 
diff --git a/.github/workflows/generate_algorithm_families.yml b/.github/workflows/generate_algorithm_families.yml
@@ -17,13 +17,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: '3.x'
 
diff --git a/.github/workflows/test_java.yml b/.github/workflows/test_java.yml
@@ -23,10 +23,10 @@ jobs:
     steps:
     - name: Checkout
       # see https://github.com/actions/checkout
-      uses: actions/checkout@v6
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
     - name: Set up JDK
       # see https://github.com/actions/setup-java
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
       with:
         java-version: '8'
         distribution: 'zulu'
diff --git a/.github/workflows/test_js.yml b/.github/workflows/test_js.yml
@@ -26,10 +26,10 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup Node.js
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: '24.x'
           package-manager-cache: false
diff --git a/.github/workflows/test_php.yml b/.github/workflows/test_php.yml
@@ -26,10 +26,10 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2
         with:
           php-version: "8.4"
           tools: composer:v2
diff --git a/.github/workflows/test_proto.yml b/.github/workflows/test_proto.yml
@@ -26,6 +26,6 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
       - name: Run test
         run: ./test.sh
diff --git a/.github/workflows/update_spdx_licenses.yml b/.github/workflows/update_spdx_licenses.yml
@@ -23,12 +23,12 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.ref_name }}
       - name: Set up JDK
         # see https://github.com/actions/setup-java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           java-version: '21'
           distribution: 'zulu'
@@ -54,7 +54,7 @@ jobs:
       - name: Artifact changes
         if: ${{ steps.diff.outputs.changed == 'true' }}
         # https://github.com/actions/upload-artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           retention-days: 1
           name: schema-spdx
@@ -74,7 +74,7 @@ jobs:
     steps:
       - name: Checkout
         # see https://github.com/actions/checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.ref_name }}
       - name: Switch branch
@@ -93,7 +93,7 @@ jobs:
           fi
       - name: Fetch changes
         # https://github.com/actions/download-artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5
         with:
           name: schema-spdx
           path: schema
