ci: Pin GitHub Actions to specific commit SHAs (#561)

Author: ReenigneArcher

.github/workflows/__call-codeql.yml

@@ -217,7 +217,7 @@ jobs:
           upload: failure-only
 
       - name: filter-sarif
-        uses: advanced-security/filter-sarif@v1
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d  # v1.0.1
         with:
           input: sarif-results/${{ matrix.language }}.sarif
           output: sarif-results/${{ matrix.language }}.sarif

.github/workflows/__call-common-lint.yml

@@ -176,7 +176,7 @@ jobs:
 
       - name: check-trailing-spaces
         if: always()
-        uses: marcopaganini/check-trailing-spaces@v2.0.0
+        uses: marcopaganini/check-trailing-spaces@8cb92e10874ed9bd54d89f2848f98308242527bd  # v2.0.0
 
       - name: C++ - find files
         id: cpp_files
@@ -224,7 +224,7 @@ jobs:
       - name: C++ - Clang format (diff)
         id: clang_format_diff
         if: always() && steps.cpp_files.outputs.found_files
-        uses: DoozyX/clang-format-lint-action@v0.20
+        uses: DoozyX/clang-format-lint-action@bcb4eb2cb0d707ee4f3e5cc3b456eb075f12cf73  # v0.20
         with:
           source: ${{ steps.cpp_files.outputs.found_files }}
           clangFormatVersion: '${{ env.CLANG_FORMAT_VERSION }}'
@@ -470,7 +470,7 @@ jobs:
 
       - name: Setup Rust
         if: always() && steps.run_cargo.outputs.found_cargo == 'true'
-        uses: actions-rust-lang/setup-rust-toolchain@v1.15.2
+        uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c  # v1.15.2
         with:
           components: 'rustfmt'
           cache: false

.github/workflows/__call-docker.yml

@@ -229,11 +229,11 @@ jobs:
           } >> "${GITHUB_OUTPUT}"
 
       - name: Set Up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130  # v3.7.0
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
 
       - name: Cache Docker Layers
         uses: actions/cache@v4
@@ -245,14 +245,14 @@ jobs:
 
       - name: Log in to Docker Hub
         if: inputs.publish_release == 'true'  # PRs do not have access to secrets
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
 
       - name: Log in to the Container registry
         if: inputs.publish_release == 'true'  # PRs do not have access to secrets
-        uses: docker/login-action@v3
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef  # v3.6.0
         with:
           registry: ghcr.io
           username: ${{ secrets.GH_BOT_NAME }}
@@ -267,7 +267,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
         with:
           context: ./
           file: ${{ matrix.dockerfile }}
@@ -336,7 +336,7 @@ jobs:
           sparse-checkout-cone-mode: false
 
       - name: Update Docker Hub Description
-        uses: peter-evans/dockerhub-description@v5
+        uses: peter-evans/dockerhub-description@1b9a80c056b620d92cedb9d9b5a223409c68ddfa  # v5.0.0
         with:
           username: ${{ secrets.DOCKER_HUB_USERNAME }}
           password: ${{ secrets.DOCKER_HUB_PASSWORD }}  # token is not currently supported

.github/workflows/__call-release-notifier.yml

@@ -118,7 +118,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412  # v7.0.9
         with:
           author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
           committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"

.github/workflows/__call-update-flathub-repo.yml

@@ -102,7 +102,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05  # v1.12
         with:
           repository: "${{ github.repository }}"
           tag: "${{ github.event.release.tag_name }}"
@@ -156,7 +156,7 @@ jobs:
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true' &&
           fromJson(steps.download.outputs.downloaded_files)[0]
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412  # v7.0.9
         with:
           author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
           committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"

.github/workflows/__call-update-homebrew-repo.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Download release asset
         id: download
         if: steps.check-label.outputs.hasTopic == 'true'
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05  # v1.12
         with:
           repository: "${{ github.repository }}"
           tag: "${{ github.event.release.tag_name }}"

.github/workflows/__call-update-pacman-repo.yml

@@ -76,7 +76,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05  # v1.12
         with:
           repository: "${{ github.repository }}"
           tag: "${{ github.event.release.tag_name }}"
@@ -99,7 +99,7 @@ jobs:
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true' &&
           fromJson(steps.download.outputs.downloaded_files)[0]
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412  # v7.0.9
         with:
           author: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"
           committer: "${{ secrets.GH_NAME }} <${{ secrets.GH_EMAIL }}>"

.github/workflows/__call-update-winget-repo.yml

@@ -46,7 +46,7 @@ jobs:
       - name: Download release asset
         id: download
         if: steps.check-label.outputs.hasTopic == 'true'
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05  # v1.12
         with:
           repository: "${{ github.repository }}"
           tag: "${{ github.event.release.tag_name }}"
@@ -60,7 +60,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           fromJson(steps.download.outputs.downloaded_files)[0]
-        uses: vedantmgoyal2009/winget-releaser@v2
+        uses: vedantmgoyal2009/winget-releaser@4ffc7888bffd451b357355dc214d43bb9f23917e  # v2
         with:
           identifier: "${{ github.repository_owner }}.${{ github.event.repository.name }}"
           release-tag: ${{ github.event.release.tag_name }}

.github/workflows/__cla-gist-replicator.yml

@@ -31,7 +31,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Deploy Gist
-        uses: exuanbo/actions-deploy-gist@v1
+        uses: exuanbo/actions-deploy-gist@47697fceaeea2006a90594ee24eb9cd0a1121ef8  # v1.1.4
         with:
           token: ${{ secrets.GH_BOT_TOKEN }}
           gist_id: ${{ secrets.CLA_GIST_ID }}

.github/workflows/__social-post.yml

@@ -49,7 +49,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: discord
-        uses: sarisia/actions-status-discord@v1
+        uses: sarisia/actions-status-discord@b8381b25576cb341b2af39926ab42c5056cc44ed  # v1.15.5
         with:
           avatar_url: ${{ vars.ORG_LOGO_URL }}256
           color: 0x${{ vars.COLOR_HEX_GREEN }}
@@ -81,7 +81,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: reddit
-        uses: bluwy/release-for-reddit-action@v2
+        uses: bluwy/release-for-reddit-action@b4ee0e0d64da893e0428912aac5cda675082bd85  # v2
         with:
           username: ${{ secrets.REDDIT_USERNAME }}
           password: ${{ secrets.REDDIT_PASSWORD }}
@@ -98,7 +98,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: x
-        uses: nearform-actions/github-action-notify-twitter@v1
+        uses: nearform-actions/github-action-notify-twitter@b3fa623c2f320117e8a08e20564c4ce0a5e67930  # v1.2.3
         # alternative: noweh/post-tweet-v2-action@v1.0
         with:
           message: "${{ inputs.title }}: ${{ inputs.body }}"