chore(ci): pin GitHub Actions in docs.yml by commit SHA

markuslf · markuslf · commit a54eb2341855 · 2026-04-12T20:40:13.000+02:00
Clears the four OpenSSF Scorecard PinnedDependenciesID alerts against
.github/workflows/docs.yml by pinning actions/checkout, actions/setup-python,
actions/upload-pages-artifact and actions/deploy-pages by commit SHA,
with the version kept as a trailing comment for human readability.

Dependabot is already configured for `github-actions` (see
.github/dependabot.yml) and updates hash-pinned actions natively in the
same PR as it would for tag-pinned ones.

The two remaining pip-related Scorecard alerts (docs.yml:31,
pre-commit-autoupdate.yml:27) are a conscious tradeoff against
Dependabot breakage, already documented in an earlier CHANGELOG entry,
and will be dismissed as "won't fix" rather than reverted.
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -19,10 +19,10 @@ jobs:
     runs-on: 'ubuntu-latest'
     steps:
       - name: 'Checkout repository'
-        uses: 'actions/checkout@v6'
+        uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
 
       - name: 'Set up Python'
-        uses: 'actions/setup-python@v6'
+        uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0
         with:
           python-version: '3.12'
 
@@ -36,7 +36,7 @@ jobs:
         run: 'mkdocs build --strict'
 
       - name: 'Upload Pages artifact'
-        uses: 'actions/upload-pages-artifact@v4'
+        uses: 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' # v4.0.0
         with:
           path: 'site'
 
@@ -49,4 +49,4 @@ jobs:
     steps:
       - name: 'Deploy to GitHub Pages'
         id: 'deployment'
-        uses: 'actions/deploy-pages@v5'
+        uses: 'actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128' # v5.0.0
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 * Fix `--require-hashes` pip install in pre-commit autoupdate workflow by using pinned version instead
 * tox.ini: disable the sdist build (`no_package = true`) so `tox` no longer trips over the flat top-level layout with "Multiple top-level packages discovered". The repo is a collection of plugin scripts, not a Python package
+* `.github/workflows/docs.yml`: pin all GitHub Actions by commit SHA (with the version as a trailing comment) instead of by tag, clearing the four OpenSSF Scorecard `PinnedDependenciesID` alerts. Dependabot is already configured for `github-actions` and updates hash-pinned actions natively
 * deb-updates: add missing `lib.txt` import so the "N update(s) available" summary no longer crashes with `AttributeError` at runtime
 * mysql-memory: fix `get_other_process_memory()` fallback path for psutil older than 5.3.0 (referenced an undefined `cmdline` variable and the wrong attribute on the process dict) and drop an unreachable `break` after `return` in `get_pfs_memory()`
 * mysql-storage-engines: drop a dead `SELECT ... FROM information_schema.engines` query whose result was never used
