ci: update actions

explodingcamera · explodingcamera · commit ebef7fb2c734 · 2026-03-09T15:40:25.000+01:00
Signed-off-by: Henry &lt;mail@henrygressmann.de&gt;
diff --git a/.github/workflows/container.yaml b/.github/workflows/container.yaml
@@ -21,11 +21,11 @@ jobs:
 
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # @v3
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Extract Semver
         id: semver
         env:
@@ -34,7 +34,7 @@ jobs:
           SEMVER_VERSION=$(echo "$INPUT_TAG" | sed -E 's/liwan-v//')
           echo "SEMVER_VERSION=${SEMVER_VERSION}" >> "$GITHUB_OUTPUT"
       - name: Setup Docker Metadata
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # @v5
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         id: meta
         with:
           images: ghcr.io/${{ github.actor }}/liwan
@@ -44,27 +44,32 @@ jobs:
             type=semver,pattern={{major}},value=${{ steps.semver.outputs.SEMVER_VERSION }}
             type=raw,edge
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # @v3
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Download liwan binaries
+        env:
+          INPUT_TAG: "${{ inputs.tag }}"
         run: |
           mkdir -p dist/amd64 dist/arm64
 
-          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-x86_64-unknown-linux-musl.tar.gz \
+          # sanitize tag: only keep alphanum, dot, underscore, dash
+          SAFE_TAG=$(echo "$INPUT_TAG" | sed 's/[^A-Za-z0-9._-]/_/g')
+
+          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/$SAFE_TAG/liwan-x86_64-unknown-linux-musl.tar.gz \
             | tar -xz -C dist/amd64 &
 
-          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/${{ inputs.tag }}/liwan-aarch64-unknown-linux-musl.tar.gz \
+          curl -fsSL https://github.com/explodingcamera/liwan/releases/download/$SAFE_TAG/liwan-aarch64-unknown-linux-musl.tar.gz \
             | tar -xz -C dist/arm64 &
 
           wait
       - name: Build and push Docker images
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: .
-          file: ./scripts/Dockerfile
+          file: ./scripts/Containerfile
           push: true
           platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -11,10 +11,10 @@ jobs:
       contents: write
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: taiki-e/create-gh-release-action@26b80501670402f1999aff4b934e1574ef2d3705 # @v1.9.1
+      - uses: taiki-e/create-gh-release-action@c5baa0b5dc700cf06439d87935e130220a6882d9 # v1.9.3
         with:
           changelog: CHANGELOG.md
           allow-missing-changelog: true
@@ -27,10 +27,10 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # @v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
         with:
           bun-version: latest
           no-cache: true
@@ -40,7 +40,7 @@ jobs:
           bun run build
         working-directory: ./web
       - name: Upload web assets
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: web-dist
           path: ./web/dist
@@ -64,17 +64,17 @@ jobs:
 
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
         with:
           name: web-dist
           path: ./web/dist
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # @v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           cache: false
-      - uses: taiki-e/upload-rust-binary-action@3962470d6e7f1993108411bc3f75a135ec67fc8c # @v1.27.0
+      - uses: taiki-e/upload-rust-binary-action@381995c84a8e242b8736ec80211c563d7bd07ce7 # v1.28.1
         with:
           bin: liwan
           target: ${{ matrix.target }}
diff --git a/.github/workflows/test-web.yaml b/.github/workflows/test-web.yaml
@@ -19,10 +19,10 @@ jobs:
     permissions:
       contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # @v2
+      - uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461 # v2.1.3
         with:
           bun-version: latest
       - name: Build web project
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -23,13 +23,13 @@ jobs:
     name: Run tests on ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # @v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           components: clippy, rustfmt
-      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # @v2.8.2
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
       - run: mkdir ./web/dist
       - name: Run tests
         run: cargo test --all --all-features
diff --git a/scripts/Containerfile b/scripts/Containerfile
