fix: Pin hashes (#19)

Author: AndyRae

.github/workflows/dependency-review.yml

@@ -12,8 +12,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Dependency review
-        uses: actions/dependency-review-action@v4
-
+        uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

.github/workflows/pr-title.yml

@@ -12,7 +12,6 @@ jobs:
 
     steps:
       - name: Validate PR title
-        uses: amannn/action-semantic-pull-request@v5
+        uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6.1.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-

.github/workflows/publish-container.yml

@@ -5,38 +5,38 @@ on:
   workflow_call:
     inputs:
       image-name:
-        description: 'Container image name (e.g. my-app)'
+        description: "Container image name (e.g. my-app)"
         required: true
         type: string
       image-description:
-        description: 'Description used in OCI annotations'
+        description: "Description used in OCI annotations"
         required: false
-        default: ''
+        default: ""
         type: string
       registry:
-        description: 'Container registry host (e.g. ghcr.io)'
+        description: "Container registry host (e.g. ghcr.io)"
         required: false
-        default: 'ghcr.io'
+        default: "ghcr.io"
         type: string
       repo-owner:
-        description: 'Owner/namespace for the image (defaults to calling repo owner)'
+        description: "Owner/namespace for the image (defaults to calling repo owner)"
         required: false
-        default: ''
+        default: ""
         type: string
       context:
-        description: 'Build context passed to Docker (e.g. . or ./app)'
+        description: "Build context passed to Docker (e.g. . or ./app)"
         required: false
-        default: '.'
+        default: "."
         type: string
       dockerfile:
-        description: 'Relative path to Dockerfile'
+        description: "Relative path to Dockerfile"
         required: false
-        default: 'Dockerfile'
+        default: "Dockerfile"
         type: string
       platforms:
-        description: 'Target platforms for the image (comma-separated)'
+        description: "Target platforms for the image (comma-separated)"
         required: false
-        default: 'linux/amd64,linux/arm64'
+        default: "linux/amd64,linux/arm64"
         type: string
 
 env:
@@ -55,7 +55,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0

.github/workflows/semantic-release.yml

@@ -4,16 +4,16 @@ on:
   workflow_call:
     inputs:
       node-version:
-        description: 'Node.js version to use'
+        description: "Node.js version to use"
         required: false
-        default: '24'
+        default: "24"
         type: string
     outputs:
       release-created:
-        description: 'Whether semantic-release created a new release/tag'
+        description: "Whether semantic-release created a new release/tag"
         value: ${{ jobs.release.outputs.release-created }}
       release-tag:
-        description: 'The tag created by semantic-release (empty if no release was created)'
+        description: "The tag created by semantic-release (empty if no release was created)"
         value: ${{ jobs.release.outputs.release-tag }}
 
 permissions:
@@ -35,14 +35,14 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Full history is required — semantic-release reads all commits since the last
           # tag to determine the next version and generate the changelog.
           fetch-depth: 0
 
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ inputs.node-version }}
 

samples/check.dependency-review.yaml

@@ -1,10 +1,10 @@
-name: 'Dependency Review'
+name: "Dependency Review"
 on: [pull_request]
 
 permissions:
   contents: read
 
 jobs:
   dependency-review:
-    uses: health-informatics-uon/workflows/.github/workflows/dependency-review.yml@1.3.0
+    uses: health-informatics-uon/workflows/.github/workflows/dependency-review.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     secrets: inherit

samples/check.pr-title.yaml

@@ -1,4 +1,4 @@
-name: 'Check PR title'
+name: "Check PR title"
 
 on:
   pull_request:
@@ -10,6 +10,6 @@ on:
 
 jobs:
   main:
-    uses: health-informatics-uon/workflows/.github/workflows/pr-title.yml@1.3.0
+    uses: health-informatics-uon/workflows/.github/workflows/pr-title.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     permissions:
       pull-requests: read

samples/release.container.yaml

@@ -17,18 +17,18 @@ on:
 
 jobs:
   release:
-    uses: health-informatics-uon/workflows/.github/workflows/semantic-release.yml@1.3.0
+    uses: health-informatics-uon/workflows/.github/workflows/semantic-release.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     with:
-      node-version: '24'
+      node-version: "24"
     secrets: inherit
 
   publish-container:
-    uses: health-informatics-uon/workflows/.github/workflows/publish-container.yml@1.3.0
+    uses: health-informatics-uon/workflows/.github/workflows/publish-container.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     with:
       # Set your container image name
       image-name: <YOUR_IMAGE_NAME>
       # Describe your container image
-      image-description: '<YOUR_IMAGE_DESCRIPTION>'
+      image-description: "<YOUR_IMAGE_DESCRIPTION>"
       registry: ghcr.io
       # Path to the build context (usually '.')
       context: .
@@ -39,7 +39,7 @@ jobs:
     secrets: inherit
 
   semver-container:
-    uses: health-informatics-uon/workflows/.github/workflows/semver-container.yml@1.3.0
+    uses: health-informatics-uon/workflows/.github/workflows/semver-container.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     needs: [release, publish-container]
     if: needs.release.outputs.release-created == 'true'
     with:

samples/release.pypi.yaml

@@ -17,9 +17,9 @@ on:
 
 jobs:
   release:
-    uses: health-informatics-uon/workflows/.github/workflows/semantic-release.yml@1.4.0
+    uses: health-informatics-uon/workflows/.github/workflows/semantic-release.yml@6411293719f0d3fc7fddb74530d4435333460e4f # v 1.4.1
     with:
-      node-version: '24'
+      node-version: "24"
     secrets: inherit
 
   # PyPI trusted publishing (OIDC) cannot be used from within a reusable workflow.
@@ -36,16 +36,16 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
-          python-version: '3.x'
+          python-version: "3.x"
 
       - name: Build package
         run: |
           pip install build
           python -m build
 
       - name: Publish to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0