chore: update GitHub Actions to use commit hashes

Author: LizardByte-bot

.github/workflows/__audit-repos.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Audit
-        uses: LizardByte/actions/actions/audit_repos@v2026.129.194351
+        uses: LizardByte/actions/actions/audit_repos@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           allowEmptyDescription: true
           checkDiscussions: org

.github/workflows/__call-ci-node.yml

@@ -31,11 +31,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Setup Release
         id: setup_release
-        uses: LizardByte/actions/actions/release_setup@v2026.129.194351
+        uses: LizardByte/actions/actions/release_setup@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -45,10 +45,10 @@ jobs:
       - setup_release
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Setup node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6.2.0
         with:
           node-version: latest
 
@@ -124,7 +124,7 @@ jobs:
     steps:
       - name: Create Release
         id: action
-        uses: LizardByte/actions/actions/release_create@v2026.129.194351
+        uses: LizardByte/actions/actions/release_create@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           allowUpdates: false
           artifacts: ''

.github/workflows/__call-codeql.yml

@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Get repo languages
         id: lang
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             // CodeQL supports the following:
@@ -146,7 +146,7 @@ jobs:
 
       - name: Continue
         id: continue
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             // if matrix['include'] is an empty list return false, otherwise true
@@ -175,13 +175,13 @@ jobs:
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 60 }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           submodules: recursive
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v4.32.1
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -201,10 +201,10 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
       - name: Autobuild
         if: matrix.build-mode == 'autobuild'
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v4.32.1
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v4.32.1
         with:
           category: "${{ matrix.category }}"
           output: sarif-results
@@ -221,13 +221,13 @@ jobs:
             -third\-party/**
 
       - name: Upload SARIF
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314  # v4.32.1
         with:
           category: "${{ matrix.category }}"
           sarif_file: sarif-results/${{ matrix.language }}.sarif
 
       - name: Upload loc as a Build Artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: sarif-results-${{ matrix.language }}-${{ runner.os }}
           path: sarif-results

.github/workflows/__call-common-lint.yml

@@ -18,11 +18,11 @@ jobs:
       CLANG_FORMAT_VERSION: 20
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Get changed files
         id: changed_files
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const opts = github.rest.pulls.listFiles.endpoint.merge({
@@ -77,7 +77,7 @@ jobs:
           done
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
         with:
           python-version: '3.12'
 

.github/workflows/__call-docker.yml

@@ -64,7 +64,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Find dockerfiles
         id: find
@@ -128,13 +128,13 @@ jobs:
     steps:
       - name: More space
         if: inputs.maximize_build_space
-        uses: LizardByte/actions/actions/more_space@v2026.129.194351
+        uses: LizardByte/actions/actions/more_space@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           analyze-space-savings: true
           clean-all: true
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           submodules: recursive
 
@@ -230,7 +230,7 @@ jobs:
         uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
 
       - name: Cache Docker Layers
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306  # v5.0.3
         with:
           path: /tmp/.buildx-cache
           key: Docker-buildx${{ matrix.tag }}-${{ github.sha }}
@@ -306,7 +306,7 @@ jobs:
 
       - name: Upload Artifacts
         if: steps.prepare.outputs.artifacts == 'true'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f  # v6.0.0
         with:
           name: build-Docker${{ matrix.tag }}
           path: artifacts/
@@ -323,7 +323,7 @@ jobs:
       - docker
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           sparse-checkout: |
             DOCKER_README.md

.github/workflows/__call-release-notifier.yml

@@ -26,7 +26,7 @@ jobs:
         env:
           TOPIC: replicator-release-notifications
         id: check-label
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const topic = process.env.TOPIC;
@@ -46,7 +46,7 @@ jobs:
       - name: Check if latest GitHub release
         id: check-release
         if: steps.check-label.outputs.hasTopic == 'true'
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const latestRelease = await github.rest.repos.getLatestRelease({
@@ -60,7 +60,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           repository: "LizardByte/LizardByte.github.io"
 

.github/workflows/__call-update-changelog.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Update Changelog
-        uses: LizardByte/actions/actions/release_changelog@v2026.129.194351
+        uses: LizardByte/actions/actions/release_changelog@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           changelogBranch: changelog
           changelogFile: CHANGELOG.md

.github/workflows/__call-update-docs.yml

@@ -56,7 +56,7 @@ jobs:
         if: >-
           github.event_name == 'release' &&
           github.event.action == 'edited'
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const latestRelease = await github.rest.repos.getLatestRelease({

.github/workflows/__call-update-flathub-repo.yml

@@ -26,7 +26,7 @@ jobs:
         id: check-label
         env:
           TOPIC: flathub-pkg
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const topic = process.env.TOPIC;
@@ -46,7 +46,7 @@ jobs:
       - name: Check if latest GitHub release
         id: check-release
         if: steps.check-label.outputs.hasTopic == 'true'
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const latestRelease = await github.rest.repos.getLatestRelease({
@@ -60,13 +60,13 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
 
       - name: Checkout flathub-repo
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           steps.check-release.outputs.isLatestRelease == 'true'
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
         with:
           repository: "flathub/${{ env.FLATHUB_PKG }}"
           path: "flathub/${{ env.FLATHUB_PKG }}"

.github/workflows/__call-update-homebrew-repo.yml

@@ -24,7 +24,7 @@ jobs:
         id: check-label
         env:
           TOPIC: homebrew-pkg
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             const topic = process.env.TOPIC;
@@ -58,7 +58,7 @@ jobs:
         if: >-
           steps.check-label.outputs.hasTopic == 'true' &&
           fromJson(steps.download.outputs.downloaded_files)[0]
-        uses: LizardByte/actions/actions/release_homebrew@v2026.129.194351
+        uses: LizardByte/actions/actions/release_homebrew@09a6e10dc8175f2933c20bdf35fde0a193a9c00e  # v2026.129.194351
         with:
           formula_file: ${{ fromJson(steps.download.outputs.downloaded_files)[0] }}
           git_email: ${{ secrets.GH_EMAIL }}