GHA: license check and action pinning

stephen-derosa · stephen-derosa · commit 0a187183fbc4 · 2026-04-09T12:47:53.000-06:00
diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
@@ -11,6 +11,14 @@ env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
+  license-check:
+    name: License Check
+    uses: ./.github/workflows/license_check.yml
+
+  pin-check:
+    name: Pin Check
+    uses: ./.github/workflows/pin_check.yml
+
   build:
     strategy:
       fail-fast: false
@@ -25,10 +33,12 @@ jobs:
 
     name: Build (${{ matrix.name }})
     runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       # ---------- deps ----------
       - name: Install deps (Ubuntu)
@@ -68,7 +78,7 @@ jobs:
 
       - name: Setup MSVC (Windows)
         if: runner.os == 'Windows'
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
         with:
           arch: x64
 
@@ -159,7 +169,7 @@ jobs:
 
       # ---------- upload build output ----------
       - name: Upload binary
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: basic_room-${{ matrix.name }}
           path: |
diff --git a/.github/workflows/license_check.yml b/.github/workflows/license_check.yml
@@ -0,0 +1,38 @@
+# Copyright 2026 LiveKit, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: License Check
+on:
+  workflow_call: {}
+  workflow_dispatch: {}
+
+jobs:
+  license-check:
+    name: License Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Check License Headers
+        shell: bash
+        run: |
+          shopt -s globstar
+          # ghcr.io/google/addlicense v1.2.0
+          docker run --rm -v ${PWD}:/src -w /src ghcr.io/google/addlicense@sha256:5a48f41ccc8cf3fdd04499649f02a9ee5877ab6f39fd1ac18fd1db5eb1062c5a \
+            -check \
+            -l apache \
+            -c "LiveKit, Inc." \
+            **/*.{cpp,h,hpp}
diff --git a/.github/workflows/pin_check.yml b/.github/workflows/pin_check.yml
@@ -0,0 +1,32 @@
+# Copyright 2026 LiveKit, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Pin Check
+on:
+  workflow_call: {}
+  workflow_dispatch:
+
+jobs:
+  pin-check:
+    name: Pin Check
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      - name: Pin Check
+        uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
+        with:
+          skip_push: true
