From 0fd8e7b523c6946e6e915a9f896eb66d401d1543 Mon Sep 17 00:00:00 2001 From: Joshua Li Date: Mon, 23 Mar 2026 23:42:42 -0700 Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs --- .github/workflows/changelog-preview.yml | 2 +- .github/workflows/checks.yml | 76 +++++++++---------- .github/workflows/codeql.yml | 8 +- .../workflows/enforce-license-complience.yml | 2 +- .github/workflows/release.yml | 2 +- 5 files changed, 45 insertions(+), 45 deletions(-) diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index f2b5efd6..b55f6100 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -15,5 +15,5 @@ permissions: jobs: changelog-preview: - uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + uses: getsentry/craft/.github/workflows/changelog-preview.yml@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2 secrets: inherit diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index ee7da062..6b2b0fb7 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -12,18 +12,18 @@ jobs: name: Build packages runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ github.run_id }} @@ -34,7 +34,7 @@ jobs: if: steps.dependency-cache.outputs.cache-hit != 'true' - run: yarn build - name: Upload build artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: dist-artifacts-${{ github.run_id }} path: packages/*/dist @@ -45,18 +45,18 @@ jobs: name: Typing check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ github.run_id }} @@ -71,18 +71,18 @@ jobs: name: Formatting check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ github.run_id }} @@ -98,18 +98,18 @@ jobs: name: Unit Tests runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ github.run_id }} @@ -119,7 +119,7 @@ jobs: run: yarn --frozen-lockfile --ignore-engines if: steps.dependency-cache.outputs.cache-hit != 'true' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: dist-artifacts-${{ github.run_id }} path: packages @@ -135,12 +135,12 @@ jobs: os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" @@ -149,7 +149,7 @@ jobs: run: yarn --frozen-lockfile --ignore-engines if: steps.dependency-cache.outputs.cache-hit != 'true' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: dist-artifacts-${{ github.run_id }} path: packages @@ -165,12 +165,12 @@ jobs: os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" @@ -179,7 +179,7 @@ jobs: run: yarn --frozen-lockfile --ignore-engines if: steps.dependency-cache.outputs.cache-hit != 'true' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: dist-artifacts-${{ github.run_id }} path: packages @@ -198,16 +198,16 @@ jobs: env: SENTRY_AUTH_TOKEN: ${{ secrets.E2E_TESTS_SENTRY_AUTH_TOKEN }} steps: - - uses: actions/checkout@v4 - - uses: volta-cli/action@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: volta-cli/action@007b1509d3ea9999dbba62ca34f4eb968363bb78 # v3 - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ matrix.target }}-${{ matrix.jobIndex }}-${{ github.run_id }} @@ -217,7 +217,7 @@ jobs: run: yarn --frozen-lockfile --ignore-engines if: steps.dependency-cache.outputs.cache-hit != 'true' - name: Download build artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: dist-artifacts-${{ github.run_id }} path: packages @@ -228,18 +228,18 @@ jobs: name: Linter check runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Use dependency cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 id: dependency-cache with: path: "**/node_modules" key: ${{ runner.os }}-${{ hashFiles('**/package.json') }}-${{ hashFiles('**/yarn.lock') }} - name: Use build cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .nxcache key: build-cache-key-${{ runner.os }}-${{ github.run_id }} @@ -257,8 +257,8 @@ jobs: # Build artifacts are only needed for releasing workflow. if: startsWith(github.ref, 'refs/heads/release/') steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: "package.json" - name: Install dependencies @@ -266,7 +266,7 @@ jobs: - name: pack run: yarn build:npm - name: archive artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ github.sha }} path: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 3cfbefab..fd0a4b18 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -41,11 +41,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@8dca8a82e2fa1a2c8908956f711300f9c4a4f4f6 # v2 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@8dca8a82e2fa1a2c8908956f711300f9c4a4f4f6 # v2 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@8dca8a82e2fa1a2c8908956f711300f9c4a4f4f6 # v2 diff --git a/.github/workflows/enforce-license-complience.yml b/.github/workflows/enforce-license-complience.yml index 8ed039cf..1cbeefff 100644 --- a/.github/workflows/enforce-license-complience.yml +++ b/.github/workflows/enforce-license-complience.yml @@ -11,6 +11,6 @@ jobs: runs-on: ubuntu-latest steps: - name: "Enforce License Compliance" - uses: getsentry/action-enforce-license-compliance@main + uses: getsentry/action-enforce-license-compliance@48236a773346cb6552a7bda1ee370d2797365d87 # main with: fossa_api_key: ${{ secrets.FOSSA_API_KEY }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8178bf23..f14f5f48 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0