Pin CI actions to specific SHAs

gemcoder21 · gemcoder21 · commit d1149de47a99 · 2026-06-05T04:58:47.000Z
Pin various GitHub Actions used across CI workflows to fixed commit SHAs for reproducible builds and stability. Updates include: setup-rust-ci (rust-cache, sccache-action, setup-just), multiple workflows (actions/checkout, actions/cache), Docker-related actions (setup-buildx, build-push, bake, login), and softprops/action-gh-release; plus adjust dependabot.yml to replace the previous ignore block with a 7-day cooldown. These changes reduce accidental drift from floating tags and improve CI determinism.
diff --git a/.github/actions/setup-rust-ci/action.yml b/.github/actions/setup-rust-ci/action.yml
@@ -19,15 +19,15 @@ runs:
   steps:
     - name: Restore cargo cache
       if: ${{ inputs.restore-cache == 'true' }}
-      uses: Swatinem/rust-cache@v2
+      uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       with:
         shared-key: ${{ inputs.shared-key }}
 
     - name: Run sccache-cache
       if: ${{ inputs.sccache == 'true' }}
-      uses: mozilla-actions/sccache-action@v0.0.9
+      uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10
 
     - name: Install just
-      uses: extractions/setup-just@v4
+      uses: extractions/setup-just@53165ef7e734c5c07cb06b3c8e7b647c5aa16db3 # v4.0.0
       with:
         just-version: "1.50.0"
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -29,7 +29,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
-    ignore:
-      - dependency-name: "*"
-        update-types:
-          - "version-update:semver-patch"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/android-ci.yml b/.github/workflows/android-ci.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           submodules: recursive
 
diff --git a/.github/workflows/core-ci.yml b/.github/workflows/core-ci.yml
@@ -27,7 +27,7 @@ jobs:
         working-directory: core
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Setup Rust
         uses: ./.github/actions/setup-rust-ci
@@ -42,7 +42,7 @@ jobs:
         working-directory: core
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Setup Rust
         uses: ./.github/actions/setup-rust-ci
diff --git a/.github/workflows/core-diesel.yml b/.github/workflows/core-diesel.yml
@@ -43,7 +43,7 @@ jobs:
           --health-retries 5
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Setup Rust
         uses: ./.github/actions/setup-rust-ci
 
diff --git a/.github/workflows/core-lint.yml b/.github/workflows/core-lint.yml
@@ -18,7 +18,7 @@ jobs:
         working-directory: core
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Setup Rust
         uses: ./.github/actions/setup-rust-ci
         with:
diff --git a/.github/workflows/dynode-docker.yml b/.github/workflows/dynode-docker.yml
@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Build dynode
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: ./core
           file: ./core/Dockerfile
diff --git a/.github/workflows/ios-ci.yml b/.github/workflows/ios-ci.yml
@@ -17,7 +17,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           submodules: recursive
 
diff --git a/.github/workflows/ios-ui-tests.yml b/.github/workflows/ios-ui-tests.yml
@@ -43,13 +43,13 @@ jobs:
           echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
         with:
           submodules: recursive
 
       - name: Cache Cargo Dependencies
         if: runner.environment == 'github-hosted'
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             ~/.cargo/registry
@@ -60,7 +60,7 @@ jobs:
 
       - name: Cache Cargo Target
         if: runner.environment == 'github-hosted'
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             core/target
@@ -70,7 +70,7 @@ jobs:
 
       - name: Cache Swift Package Manager
         if: runner.environment == 'github-hosted'
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: |
             ~/.swiftpm
@@ -81,7 +81,7 @@ jobs:
 
       - name: Run sccache-cache
         if: runner.environment == 'github-hosted'
-        uses: mozilla-actions/sccache-action@v0.0.8
+        uses: mozilla-actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696 # v0.0.10
 
       - name: Install just
         if: runner.environment == 'github-hosted'
diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml
@@ -26,20 +26,20 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
 
       - name: Log in to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build and push core containers
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@6614cfa25eff9a0b2b2697efb0b6159e7680d584 # v7.2.0
         with:
           files: .github/docker-bake.hcl
           targets: default
diff --git a/.github/workflows/release_on_tag.yml b/.github/workflows/release_on_tag.yml
@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Create release
-        uses: softprops/action-gh-release@v3
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           name: ${{ github.ref_name }}
           tag_name: ${{ github.ref_name }}
