chore(repo): pin GitHub Actions to SHAs and drop persisted tokens

Convert every `uses:` reference in `.github/workflows/**` and
`.github/actions/**` from a mutable tag to an immutable commit SHA,
with the tag preserved as a trailing comment so the version is still
readable. Extend the Renovate config generator to manage the
`.github/**` paths (previously outside `includePaths`) with
`pinDigests: true`, so the SHAs stay current automatically.

Set `persist-credentials: false` on every `actions/checkout` step
that does not require the persisted `GITHUB_TOKEN`. The release job
in `release.yml` is intentionally left alone: it sets a `token:`
input explicitly so `changesets/action` can push the Version PR.

Author: jacekradko

.changeset/harden-gh-actions.md

@@ -0,0 +1,2 @@
+---
+---

.github/actions/ensure-stable-pr/action.yml

@@ -8,7 +8,7 @@ runs:
   using: 'composite'
   steps:
     - name: Ensure the PR hasn't changed since initiating the commented command.
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       env:
         CMD: ${{ inputs.cmd }}
       with:

.github/actions/init-blacksmith/action.yml

@@ -48,7 +48,7 @@ runs:
   steps:
     - name: Configure Turborepo
       id: turbo
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       env:
         # envs are required to pass inputs to the script
         CACHE: ${{ inputs.turbo-cache }}
@@ -110,10 +110,10 @@ runs:
       run: echo $TURBO_ARGS
 
     - name: Install PNPM
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
     - name: Setup NodeJS ${{ inputs.node-version }}
-      uses: useblacksmith/setup-node@v5
+      uses: useblacksmith/setup-node@65c6ca86fdeb0ab3d85e78f57e4f6a7e4780b391 # v5
       with:
         cache: ${{ inputs.cache-enabled == 'true' && 'pnpm' || '' }}
         node-version: ${{ inputs.node-version }}
@@ -139,7 +139,7 @@ runs:
 
     - name: Cache Playwright Binaries
       if: inputs.playwright-enabled == 'true' && inputs.cache-enabled == 'true'
-      uses: useblacksmith/cache@v5
+      uses: useblacksmith/cache@71c7c918062ba3861252d84b07fe5ab2a6b467a6 # v5
       id: playwright-cache
       with:
         path: ~/.cache/ms-playwright

.github/actions/init/action.yml

@@ -48,7 +48,7 @@ runs:
   steps:
     - name: Configure Turborepo
       id: turbo
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       env:
         # envs are required to pass inputs to the script
         CACHE: ${{ inputs.turbo-cache }}
@@ -110,10 +110,10 @@ runs:
       run: echo $TURBO_ARGS
 
     - name: Install PNPM
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
 
     - name: Setup NodeJS ${{ inputs.node-version }}
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         cache: ${{ inputs.cache-enabled == 'true' && 'pnpm' || '' }}
         node-version: ${{ inputs.node-version }}
@@ -139,7 +139,7 @@ runs:
 
     - name: Cache Playwright Binaries
       if: inputs.playwright-enabled == 'true' && inputs.cache-enabled == 'true'
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       id: playwright-cache
       with:
         path: ~/.cache/ms-playwright

.github/workflows/ci.yml

@@ -31,7 +31,7 @@ jobs:
       - name: Get User Permission
         if: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository }}
         id: checkAccess
-        uses: actions-cool/check-user-permission@v2
+        uses: actions-cool/check-user-permission@c21884f3dda18dafc2f8b402fe807ccc9ec1aa5e # v2
         with:
           require: write
           username: ${{ github.triggering_actor }}
@@ -57,8 +57,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 100 # Enough for changeset status comparison, much faster than full history
           fetch-tags: false
           filter: "blob:none"
@@ -109,8 +110,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: "blob:none"
@@ -130,7 +132,7 @@ jobs:
         run: pnpm turbo build $TURBO_ARGS --only
 
       - name: Upload Turbo Summary
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: ${{ env.TURBO_SUMMARIZE == 'true' }}
         continue-on-error: true
         with:
@@ -156,8 +158,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: "blob:none"
@@ -194,7 +197,7 @@ jobs:
         run: pnpm turbo lint $TURBO_ARGS
 
       - name: Upload Turbo Summary
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: ${{ env.TURBO_SUMMARIZE == 'true' }}
         continue-on-error: true
         with:
@@ -231,8 +234,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: "blob:none"
@@ -272,7 +276,7 @@ jobs:
           NODE_VERSION: ${{ matrix.node-version }}
 
       - name: Upload Turbo Summary
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         if: ${{ env.TURBO_SUMMARIZE == 'true' }}
         continue-on-error: true
         with:
@@ -342,8 +346,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: "blob:none"
@@ -435,7 +440,7 @@ jobs:
         run: cd packages/astro && pnpm copy:components
 
       - name: Write all ENV certificates to files in integration/certs
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           INTEGRATION_CERTS: "${{secrets.INTEGRATION_CERTS}}"
           INTEGRATION_ROOT_CA: "${{secrets.INTEGRATION_ROOT_CA}}"
@@ -483,7 +488,7 @@ jobs:
 
       - name: Upload test-results
         if: ${{ cancelled() || failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.sanitize.outputs.artifact-suffix }}${{ matrix.next-version && format('-next{0}', matrix.next-version) || '' }}
           path: test-results
@@ -503,8 +508,9 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 1
           fetch-tags: false
           filter: "blob:none"

.github/workflows/e2e-cleanups.yml

@@ -16,8 +16,9 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 0
           show-progress: false
 

.github/workflows/e2e-staging.yml

@@ -43,7 +43,7 @@ jobs:
     runs-on: 'blacksmith-8vcpu-ubuntu-2204'
     steps:
       - name: Check org membership
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const org = context.repo.owner;
@@ -97,8 +97,9 @@ jobs:
           fi
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           ref: ${{ steps.inputs.outputs.ref }}
           sparse-checkout: scripts/validate-staging-instances.mjs
           fetch-depth: 1
@@ -173,8 +174,9 @@ jobs:
           fi
 
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           ref: ${{ steps.inputs.outputs.ref }}
           fetch-depth: 1
           fetch-tags: false
@@ -245,7 +247,7 @@ jobs:
           pnpm add @clerk/ui@latest
 
       - name: Write all ENV certificates to files in integration/certs
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         env:
           INTEGRATION_CERTS: '${{ secrets.INTEGRATION_CERTS }}'
           INTEGRATION_ROOT_CA: '${{ secrets.INTEGRATION_ROOT_CA }}'
@@ -285,7 +287,7 @@ jobs:
 
       - name: Upload test-results
         if: ${{ cancelled() || failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: playwright-traces-${{ github.run_id }}-${{ github.run_attempt }}-${{ steps.inputs.outputs.artifact-suffix }}
           path: test-results
@@ -328,7 +330,7 @@ jobs:
 
       - name: Notify Slack on failure
         if: ${{ needs.integration-tests.result == 'failure' && steps.inputs.outputs.notify-slack == 'true' }}
-        uses: slackapi/slack-github-action@v1.24.0
+        uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
         with:
           payload: |
             {
@@ -349,7 +351,7 @@ jobs:
       # Uncomment when clerk_go side is ready
       # - name: Post commit status to clerk_go
       #   if: ${{ steps.inputs.outputs.clerk-go-commit-sha != '' }}
-      #   uses: actions/github-script@v7
+      #   uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
       #   with:
       #     github-token: ${{ secrets.CLERK_COOKIE_PAT }}
       #     script: |

.github/workflows/labeler.yml

@@ -11,4 +11,4 @@ jobs:
       pull-requests: write
     runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6

.github/workflows/lock-threads.yml

@@ -19,7 +19,7 @@ jobs:
     timeout-minutes: 3
     runs-on: ${{ vars.RUNNER_NORMAL || 'ubuntu-latest' }}
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         name: Regular stale action
         with:
           days-before-issue-stale: 30
@@ -56,7 +56,7 @@ jobs:
             After 60 days of no activity, we'll close this PR. Keep in mind, I'm just a robot, so if I've closed this PR in error, please reply here and my human colleagues will reopen it.
 
             Thanks for being a part of the Clerk community! 🙏
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         name: Stale action for needs-reproduction issues
         with:
           days-before-issue-stale: 7
@@ -73,7 +73,7 @@ jobs:
             Thanks for being a part of the Clerk community! 🙏
           close-issue-message: |
             After 8 days without a reproduction being supplied, we are closing this issue. Keep in mind, I'm just a robot, so if I've closed this issue in error, please reply here and my human colleagues will reopen it. Likewise if a reproduction is prepared after it has been closed.
-      - uses: dessant/lock-threads@v4
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4
         with:
           issue-inactive-days: '365'
           issue-comment: 'This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.'

.github/workflows/major-version-check.yml

@@ -18,7 +18,7 @@ jobs:
     steps:
       - name: Check for major changesets
         id: check_major
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const prNumber = context.payload?.pull_request?.number || context.payload?.issue?.number;
@@ -74,7 +74,7 @@ jobs:
       - name: Check if major version bump is allowed
         if: steps.check_major.outputs.has_major_changeset == 'true'
         id: check_approval
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7
         with:
           script: |
             const prNumber = context.payload?.pull_request?.number || context.payload?.issue?.number;