chore: Harden publish and integration test workflows against supply chain attacks (#680)

ava-silver · web-flow · commit 3e8dac99d70d · 2026-03-31T10:27:59.000-04:00
diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -11,10 +11,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
       - name: Set up Node 24
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 24
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,13 +12,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: "24.x"
           registry-url: "https://registry.npmjs.org"
       - run: corepack enable && corepack prepare yarn@4.10.3 --activate
-      - run: yarn
+      - run: yarn install --immutable
       - run: yarn build
       - run: npm publish
 
