From 95c922157dadba48e1e0e363cd513dd91c3887f4 Mon Sep 17 00:00:00 2001 From: Jon Church Date: Wed, 22 Apr 2026 15:52:42 -0400 Subject: [PATCH] ci: pin GitHub Actions to SHAs Resolve all tag-referenced actions in .github/workflows/ to full commit SHAs, preserving the original tag as an inline comment. --- .github/workflows/build.yml | 14 +++++++------- .github/workflows/codeql.yml | 8 ++++---- .github/workflows/crowdin.yml | 2 +- .github/workflows/deploy.yml | 6 +++--- .github/workflows/playwright.yml | 8 ++++---- .github/workflows/scorecards.yml | 6 +++--- .github/workflows/sync-orama.yml | 4 ++-- .github/workflows/update-external-docs.yml | 12 ++++++------ 8 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d7eed4592..4b5050b8d0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,12 +31,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: # node-version-file: ".nvmrc" use when .nvmrc is on root of the repo node-version: '24.13' @@ -58,19 +58,19 @@ jobs: github.event_name != 'pull_request_review' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Build Astro site - uses: withastro/action@v6 + uses: withastro/action@b7d53628f8b666036b0238aadb0b984a2a489f26 # v6 with: path: . package-manager: npm out-dir: dist - name: Upload build artifact for linkChecker - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: site-dist path: dist/ @@ -81,12 +81,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Download build artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: site-dist path: dist/ diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 464f7e2642..7c33bd2efc 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,11 +41,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -55,7 +55,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v4 + uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -68,6 +68,6 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: category: '/language:${{matrix.language}}' diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index b0be632134..ec4a07c94a 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f0a82d1674..c3d8f65d13 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -21,10 +21,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Build and upload pages artifact - uses: withastro/action@v6 + uses: withastro/action@b7d53628f8b666036b0238aadb0b984a2a489f26 # v6 with: path: . package-manager: npm @@ -40,4 +40,4 @@ jobs: steps: - name: Deploy to GitHub Pages id: deployment - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml index 78e32d2a3c..54c6de14b3 100644 --- a/.github/workflows/playwright.yml +++ b/.github/workflows/playwright.yml @@ -21,10 +21,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: '24.13' cache: 'npm' @@ -61,7 +61,7 @@ jobs: run: echo "version=$(npx playwright --version | awk '{print $2}')" >> $GITHUB_OUTPUT - name: Cache Playwright browsers - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ~/.cache/ms-playwright key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }} @@ -79,7 +79,7 @@ jobs: - name: Upload Playwright test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: playwright-report path: playwright-report/ diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index ab3de435ba..c8306d9f41 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -36,7 +36,7 @@ jobs: steps: - name: 'Checkout code' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: 'Upload artifact' - uses: actions/upload-artifact@v6 + uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 with: name: SARIF file path: results.sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: 'Upload to code-scanning' - uses: github/codeql-action/upload-sarif@v4 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4 with: sarif_file: results.sarif diff --git a/.github/workflows/sync-orama.yml b/.github/workflows/sync-orama.yml index 2cdbf15533..652df1488e 100644 --- a/.github/workflows/sync-orama.yml +++ b/.github/workflows/sync-orama.yml @@ -25,12 +25,12 @@ jobs: steps: - name: 'Checkout' - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version-file: '.nvmrc' cache: 'npm' diff --git a/.github/workflows/update-external-docs.yml b/.github/workflows/update-external-docs.yml index aa7317a19f..04b77296f9 100644 --- a/.github/workflows/update-external-docs.yml +++ b/.github/workflows/update-external-docs.yml @@ -15,7 +15,7 @@ jobs: if: github.repository_owner == 'expressjs' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false @@ -35,7 +35,7 @@ jobs: - name: Create Pull Request if: steps.expiry.outputs.bump == 'true' - uses: gr2m/create-or-update-pull-request-action@v1 + uses: gr2m/create-or-update-pull-request-action@b65137ca591da0b9f43bad7b24df13050ea45d1b # v1.10.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -60,12 +60,12 @@ jobs: if: github.repository_owner == 'expressjs' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* @@ -82,7 +82,7 @@ jobs: run: npm run fix - name: Create Pull Request - uses: gr2m/create-or-update-pull-request-action@v1 + uses: gr2m/create-or-update-pull-request-action@b65137ca591da0b9f43bad7b24df13050ea45d1b # v1.10.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -100,7 +100,7 @@ jobs: if: github.repository_owner == 'expressjs' steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: persist-credentials: false