Partially Harden CI (#5563)

hyperupcall · web-flow · commit 1bb14782c941 · 2026-04-12T01:26:00.000-07:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,8 @@
 version: 2
 updates:
   - package-ecosystem: 'github-actions'
+    cooldown:
+      default-days: 14
     directory: '/'
     schedule:
       interval: 'monthly'
diff --git a/.github/workflows/auto-update.yml b/.github/workflows/auto-update.yml
@@ -26,12 +26,14 @@ jobs:
       contents: 'write'
       pull-requests: 'write'
     steps:
-      - uses: 'actions/checkout@v6'
-      - uses: 'actions/setup-node@v6'
+      - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: 'actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f' # v6.3.0
         with:
           node-version: '20'
           cache: 'npm'
           cache-dependency-path: './package-lock.json'
       - run: 'npm clean-install'
       - run: 'node ./cli.js build-xregistry'
-      - uses: peter-evans/create-pull-request@v8
+      - uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
diff --git a/.github/workflows/codeowners-merge.yml b/.github/workflows/codeowners-merge.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions: 'write-all'
     steps:
-      - uses: 'actions/checkout@v6'
+      - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
       - name: 'Run Codeowners check'
         uses: 'OSS-Docs-Tools/code-owner-self-merge@9f01f6d51b10a0e0a12300cdd614c9fa80787868'
         env:
diff --git a/.github/workflows/github-pages.yml b/.github/workflows/github-pages.yml
@@ -25,16 +25,18 @@ jobs:
     runs-on: 'ubuntu-latest'
     if: ${{ github.repository_owner == 'SchemaStore' }}
     steps:
-      - uses: 'actions/checkout@v6'
-      - uses: 'actions/setup-node@v6'
+      - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: 'actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f' # v6.3.0
         with:
           node-version: '22'
           cache: 'npm'
           cache-dependency-path: './package-lock.json'
       - run: 'npm clean-install'
       - run: 'node ./cli.js build-website'
-      - uses: 'actions/configure-pages@v5'
-      - uses: 'actions/upload-pages-artifact@v4'
+      - uses: 'actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b' # v5.0.0
+      - uses: 'actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b' # v4.0.0
         with:
           path: './website'
 
@@ -48,4 +50,4 @@ jobs:
     needs: 'build'
     steps:
       - id: 'deployment'
-        uses: 'actions/deploy-pages@v4'
+        uses: 'actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e' # v4.0.5
diff --git a/.github/workflows/label-prs.yml b/.github/workflows/label-prs.yml
@@ -7,7 +7,7 @@ jobs:
     if: github.repository == 'SchemaStore/schemastore'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           repo-token: '${{ secrets.GITHUB_TOKEN }}'
           sync-labels: true
diff --git a/.github/workflows/pre-commit-checks.yml b/.github/workflows/pre-commit-checks.yml
@@ -8,13 +8,15 @@ jobs:
     name: Run pre-commit checks
     steps:
       - name: Checkout the repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Enablement of https://pre-commit.ci is desirable as it also
       # enable auto-fixes for formatting violations. Still we still want to run
       # our own GitHub action, just in case the external service becomes
       # unavailable.
-      - uses: actions/setup-python@v6
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.11'
       - name: Install pre-commit
diff --git a/.github/workflows/stale-prs.yml b/.github/workflows/stale-prs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.repository_owner == 'SchemaStore'
     steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0
         with:
           stale-pr-message: 'This PR is stale because it has been open 60 days with no activity. Comment or this will be closed in 7 days.'
           close-pr-message: 'This PR was closed because it has been stalled for 7 days with no activity.'
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -8,8 +8,10 @@ jobs:
     timeout-minutes: 10
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '20'
           cache: 'npm'
