chore(security): pin down actions to commit SHA

keshav-space · keshav-space · commit a5f1c89ecf8f · 2026-04-01T20:37:19.000+05:30
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -36,10 +36,10 @@ jobs:
 
     steps:
       - name: Checkout source
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@aad518f59d88bae90133242f9ddac7f8bbc5dddf #v1.94.1
         with:
           components: rustfmt, clippy
 
diff --git a/.github/workflows/collect-purls_template.yml b/.github/workflows/collect-purls_template.yml
@@ -46,7 +46,7 @@ jobs:
           >  "${{ inputs.ecosystem }}.txt"
 
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Commit and push if it changed
         run: |-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,15 +14,15 @@ jobs:
       id-token: write
       contents: write
     steps:
-    - uses: actions/checkout@v5
-    - uses: rust-lang/crates-io-auth-action@v1
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+    - uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe #v1.0.4
       id: auth
     - run: cargo publish
       env:
         CARGO_REGISTRY_TOKEN: ${{ steps.auth.outputs.token }}
     
     - name: Create a GitHub release
-      uses: softprops/action-gh-release@v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b  # v2.5.0
       with:
           generate_release_notes: true
           draft: false
diff --git a/.github/workflows/sync-purls.yml b/.github/workflows/sync-purls.yml
@@ -38,12 +38,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout source
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           token: ${{ secrets.GH_TAG_RELEASE_TOKEN }}
 
       - name: Install Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@aad518f59d88bae90133242f9ddac7f8bbc5dddf #v1.94.1
 
       - name: Install cargo-edit
         run: cargo install cargo-edit
