chore: pin github actions to SHA hashes

Author: yasnagat

.github/actions/build-docker/action.yml

@@ -37,15 +37,15 @@ runs:
   steps:
     - name: Login to GitHub Container Registry
       if: inputs.publish-image == 'true' && github.actor != 'dependabot[bot]' && (github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'release' || github.ref == 'refs/heads/develop')
-      uses: docker/login-action@v3
+      uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
       with:
         registry: ghcr.io
         username: ${{ inputs.CR_USER }}
         password: ${{ inputs.CR_PAT }}
 
     - name: Restore meteor build
       if: inputs.service == 'rocketchat'
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: build-${{ inputs.type }}
         path: /tmp/build
@@ -60,7 +60,7 @@ runs:
 
     - name: Set up Docker
       if: inputs.setup-docker == 'true'
-      uses: docker/setup-docker-action@v4
+      uses: docker/setup-docker-action@e43656e248c0bd0647d3f5c195d116aacf6fcaf4 # v4.7.0
       with:
         daemon-config: |
           {
@@ -175,13 +175,13 @@ runs:
 
     - name: Upload Docker image artifact
       if: inputs.publish-image == 'false' && inputs.arch == 'amd64'
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: docker-image-${{ inputs.service }}-${{ inputs.arch }}-${{ inputs.type }}
         path: /tmp/docker-images/${{ inputs.service }}-${{ inputs.arch }}-${{ inputs.type }}.tar
         retention-days: 1
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: inputs.publish-image == 'true'
       with:
         name: manifests-${{ inputs.service }}-${{ inputs.arch }}-${{ inputs.type }}

.github/actions/docker-image-size-tracker/action.yml

@@ -57,7 +57,7 @@ runs:
   using: 'composite'
   steps:
     - name: Download manifests
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: manifests-*
         path: /tmp/manifests

.github/actions/meteor-build/action.yml

@@ -27,14 +27,14 @@ runs:
 
   steps:
     - name: Cache build
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       id: cache-build
       with:
         path: /tmp/Rocket.Chat.tar.gz
         key: ${{ runner.arch }}-${{ runner.os }}-${{ inputs.type }}-rc-build-${{ inputs.source-hash }}
 
     - name: Set Swap Space
-      uses: pierotofy/set-swap-space@master
+      uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # v1.0.0  
       if: steps.cache-build.outputs.cache-hit != 'true'
       with:
         swap-size-gb: 4
@@ -66,7 +66,7 @@ runs:
     #     df -h
 
     - name: Cache vite
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       if: steps.cache-build.outputs.cache-hit != 'true'
       with:
         path: ./node_modules/.vite
@@ -75,7 +75,7 @@ runs:
           vite-local-cache-${{ runner.arch }}-${{ runner.os }}-
 
     - name: Cache meteor local
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       if: steps.cache-build.outputs.cache-hit != 'true'
       with:
         path: ./apps/meteor/.meteor/local
@@ -84,7 +84,7 @@ runs:
           meteor-local-cache-${{ runner.arch }}-${{ runner.os }}-${{ inputs.type }}-
 
     - name: Cache meteor
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       if: steps.cache-build.outputs.cache-hit != 'true'
       with:
         path: ~/.meteor
@@ -134,7 +134,7 @@ runs:
       run: meteor reset
 
     - name: Restore packages build
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: packages-build
         path: /tmp
@@ -210,7 +210,7 @@ runs:
         tar czf /tmp/Rocket.Chat.tar.gz bundle
 
     - name: Store build
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: build-${{ inputs.type }}
         path: /tmp/Rocket.Chat.tar.gz

.github/actions/restore-packages/action.yml

@@ -5,7 +5,7 @@ runs:
   using: 'composite'
   steps:
     - name: Restore packages build
-      uses: actions/download-artifact@v8
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
       with:
         name: packages-build
         path: /tmp

.github/actions/setup-node/action.yml

@@ -59,7 +59,7 @@ runs:
     - name: Cache Deno (apps-engine)
       if: inputs.cache-modules
       id: cache-deno
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: packages/apps-engine/.deno-cache
         key: deno-${{ runner.os }}-${{ runner.arch }}-v${{ env.DENO_VERSION }}-${{ hashFiles('packages/apps-engine/deno-runtime/deno.lock') }}
@@ -68,7 +68,7 @@ runs:
 
     - name: Use Node.js ${{ env.NODE_VERSION }}
       id: node-version
-      uses: actions/setup-node@v6.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODE_VERSION }}
         cache: ${{ inputs.cache-modules && 'yarn' || '' }}
@@ -80,7 +80,7 @@ runs:
 
     - name: Cache mongodb-memory-server binary
       if: inputs.cache-modules
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ${{ runner.temp }}/mongodb-memory-server
         key: mongoms-${{ runner.arch }}-${{ runner.os }}-${{ hashFiles('yarn.lock') }}

.github/actions/setup-playwright/action.yml

@@ -6,7 +6,7 @@ runs:
 
   steps:
     - name: Cache Playwright binaries
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       id: cache-playwright
       with:
         path: |

.github/workflows/auto-close-duplicates.yml

@@ -15,10 +15,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Bun
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
         with:
           bun-version: latest
 

.github/workflows/ci-code-check.yml

@@ -26,11 +26,11 @@ jobs:
 
     steps:
       - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
+        uses: pierotofy/set-swap-space@49819abfb41bd9b44fb781159c033dba90353a7c # v1.0.0
         with:
           swap-size-gb: 4
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup NodeJS
         uses: ./.github/actions/setup-node
@@ -48,7 +48,7 @@ jobs:
       - name: Restore TypeScript incremental cache
         id: restore-typecheck
         if: matrix.check == 'ts'
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ./apps/meteor/tsconfig.typecheck.tsbuildinfo
           key: typecheck-cache-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
@@ -89,15 +89,15 @@ jobs:
 
       - name: Save TypeScript incremental cache
         if: matrix.check == 'ts' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ./apps/meteor/tsconfig.typecheck.tsbuildinfo
           key: typecheck-cache-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
 
       - name: Restore ESLint cache
         id: restore-eslint
         if: matrix.check == 'lint'
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ./apps/meteor/.eslintcache
           key: eslintcache-${{ runner.os }}-${{ hashFiles('yarn.lock') }}
@@ -118,7 +118,7 @@ jobs:
 
       - name: Save ESLint cache
         if: matrix.check == 'lint' && github.ref == 'refs/heads/develop' && github.event_name == 'push'
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ./apps/meteor/.eslintcache
           key: eslintcache-${{ runner.os }}-${{ hashFiles('yarn.lock') }}

.github/workflows/ci-deploy-gh-pages.yml

@@ -11,7 +11,7 @@ jobs:
   deploy-preview:
     runs-on: ubuntu-24.04-arm
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: rharkor/caching-for-turbo@00a0515f175df9fd2e15c4560144ad5fdbebb0c7 # v2.3.13
 
       - name: Setup NodeJS
@@ -30,7 +30,7 @@ jobs:
           mv ${{ github.ref_name }} .preview
 
       - name: Deploy
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: .preview

.github/workflows/ci-test-e2e.yml

@@ -91,7 +91,7 @@ jobs:
     steps:
       - name: Collect Workflow Telemetry
         if: inputs.type == 'perf'
-        uses: catchpoint/workflow-telemetry-action@v2
+        uses: catchpoint/workflow-telemetry-action@94c3c3d9567a0205de6da68a76c428ce4e769af1 # v2.0.0
         with:
           theme: dark
           job_summary: true
@@ -108,13 +108,13 @@ jobs:
 
       - name: Login to GitHub Container Registry
         if: (github.event.pull_request.head.repo.full_name == github.repository || github.event_name == 'release' || github.ref == 'refs/heads/develop') && github.actor != 'dependabot[bot]'
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ secrets.CR_USER }}
           password: ${{ secrets.CR_PAT }}
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup NodeJS
         uses: ./.github/actions/setup-node
@@ -131,7 +131,7 @@ jobs:
 
       # Download Docker images from build artifacts
       - name: Download Docker images
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         if: github.event.pull_request.head.repo.full_name != github.repository && github.event_name != 'release' && github.ref != 'refs/heads/develop'
         with:
           pattern: ${{ inputs.release == 'ce' &&  'docker-image-rocketchat-amd64-coverage' || 'docker-image-*-amd64-coverage' }}
@@ -275,7 +275,7 @@ jobs:
 
       - name: Store playwright test trace
         if: inputs.type == 'ui' && always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: playwright-test-trace-${{ inputs.release }}-${{ matrix.mongodb-version }}-${{ matrix.shard }}
           path: ./apps/meteor/tests/e2e/.playwright*
@@ -291,7 +291,7 @@ jobs:
 
       - name: Store coverage
         if: inputs.coverage == matrix.mongodb-version
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: coverage-${{ inputs.type }}-${{ matrix.shard }}
           path: /tmp/coverage