Skip to content

Commit e3a018c

Browse files
julian-rischclaude
julian-risch
and
claude
authored
chore: pin GitHub Actions to specific commit SHAs (#435)
Use pinact to pin all workflow actions to immutable commit SHAs instead of mutable tags to prevent supply chain attacks. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent fba3e04 commit e3a018c

File tree

5 files changed

+17
-17
lines changed

5 files changed

+17
-17
lines changed

.github/workflows/dc_sync.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -16,13 +16,13 @@ jobs:
1616

1717
steps:
1818
- name: Checkout
19-
uses: actions/checkout@v4
19+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
2020
with:
2121
fetch-depth: 0
2222

2323
- name: Get changed files
2424
id: files
25-
uses: tj-actions/changed-files@v46
25+
uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
2626
with:
2727
json: true
2828
files: |
@@ -44,9 +44,9 @@ jobs:
4444

4545
steps:
4646
- name: Checkout
47-
uses: actions/checkout@v4
47+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
4848

49-
- uses: actions/setup-python@v5
49+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
5050
with:
5151
python-version: "3.11"
5252

@@ -65,7 +65,7 @@ jobs:
6565
python scripts/generate_txt.py --metadata --notebooks ${{ matrix.file }}
6666
6767
- name: Upload tutorial to deepset Cloud
68-
uses: silvanocerza/deepset-cloud-file-uploader@v1
68+
uses: silvanocerza/deepset-cloud-file-uploader@b2a34976a31f894154a529b7f4b4cc00edb593a4 # v1.1.2
6969
with:
7070
api-key: ${{ secrets.DEEPSET_CLOUD_API_KEY }}
7171
workspace-name: ${{ secrets.DEEPSET_CLOUD_WORKSPACE }}
@@ -93,7 +93,7 @@ jobs:
9393
echo "file=$FILE" >> "$GITHUB_OUTPUT"
9494
9595
- name: Delete file from deepset Cloud
96-
uses: silvanocerza/deepset-cloud-file-deleter@v1
96+
uses: silvanocerza/deepset-cloud-file-deleter@16afef2222bc877b42cf346cce043133debe7c3f # v1.0.0
9797
with:
9898
api-key: ${{ secrets.DEEPSET_CLOUD_API_KEY }}
9999
workspace-name: ${{ secrets.DEEPSET_CLOUD_WORKSPACE }}

.github/workflows/full_dc_sync.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,9 +8,9 @@ jobs:
88
runs-on: ubuntu-latest
99
steps:
1010
- name: Checkout
11-
uses: actions/checkout@v4
11+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
1212

13-
- uses: actions/setup-python@v5
13+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
1414
with:
1515
python-version: "3.11"
1616

.github/workflows/project.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ jobs:
1010
name: Add new issues to project for triage
1111
runs-on: ubuntu-latest
1212
steps:
13-
- uses: actions/add-to-project@v1.0.2
13+
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
1414
with:
1515
project-url: https://github.com/orgs/deepset-ai/projects/5
1616
github-token: ${{ secrets.GH_PROJECT_PAT }}

.github/workflows/run_tutorials.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,9 +14,9 @@ jobs:
1414
outputs:
1515
matrix: ${{ steps.matrix.outputs.matrix }}
1616
steps:
17-
- uses: actions/checkout@v6
17+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1818

19-
- uses: actions/setup-python@v6
19+
- uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
2020
with:
2121
python-version: "3.11"
2222

@@ -33,7 +33,7 @@ jobs:
3333
- name: Get changed files
3434
if: github.event_name == 'pull_request'
3535
id: files
36-
uses: tj-actions/changed-files@v47
36+
uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
3737
with:
3838
matrix: true
3939
files: tutorials/*.ipynb
@@ -80,10 +80,10 @@ jobs:
8080

8181
steps:
8282
- name: Checkout
83-
uses: actions/checkout@v6
83+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
8484

8585
- name: Setup Python and uv
86-
uses: astral-sh/setup-uv@v7
86+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
8787
with:
8888
python-version: "3.11"
8989

@@ -123,6 +123,6 @@ jobs:
123123
124124
- name: Notify Slack on nightly failure
125125
if: failure() && github.event_name != 'pull_request'
126-
uses: deepset-ai/notify-slack-action@v1
126+
uses: deepset-ai/notify-slack-action@3cda73b77a148f16f703274198e7771340cf862b # v1
127127
with:
128128
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_NOTIFICATIONS }}

.github/workflows/verify_generation.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,10 @@ jobs:
1111
runs-on: ubuntu-slim
1212

1313
steps:
14-
- uses: actions/checkout@v6
14+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1515

1616
- name: Setup Python and uv
17-
uses: astral-sh/setup-uv@v7
17+
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
1818
with:
1919
python-version: "3.11"
2020

0 commit comments

Comments
 (0)