Pin GitHub Actions to commit hashes and enforce pinning

sylwiaszunejko · sylwiaszunejko · commit 44bc95ad6cb6 · 2026-05-22T11:16:53.000+02:00
- Update all action references to use full SHA commit hashes
- Configure Renovate to pin digests and require 90-day minimum age
- Add github-actions ecosystem to Dependabot
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -24,11 +24,11 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: dist
           merge-multiple: true
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef2210092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           skip-existing: true
diff --git a/.github/workflows/call_jira_sync.yml b/.github/workflows/call_jira_sync.yml
@@ -11,7 +11,7 @@ permissions:
 
 jobs:
   jira-sync:
-    uses: scylladb/github-automation/.github/workflows/main_pr_events_jira_sync.yml@main
+    uses: scylladb/github-automation/.github/workflows/main_pr_events_jira_sync.yml@83115dc2553dbf968e73271e97fc7aac16b8145a # main 2026-05-20
     with:
       caller_action: ${{ github.event.action }}
     secrets:
diff --git a/.github/workflows/docs-pages.yml b/.github/workflows/docs-pages.yml
@@ -24,14 +24,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event.repository.default_branch }}
           persist-credentials: false
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           working-directory: docs
           enable-cache: true
diff --git a/.github/workflows/docs-pr.yml b/.github/workflows/docs-pr.yml
@@ -31,13 +31,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           working-directory: docs
           enable-cache: true
diff --git a/.github/workflows/integration-tests.yml b/.github/workflows/integration-tests.yml
@@ -56,10 +56,10 @@ jobs:
             event_loop_manager: "asyncore"
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up JDK ${{ matrix.java-version }}
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         java-version: ${{ matrix.java-version }}
         distribution: 'adopt'
@@ -68,7 +68,7 @@ jobs:
       run: sudo apt-get install libev4 libev-dev
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v8.1.0
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -78,7 +78,7 @@ jobs:
       run: uv sync
 
     - name: Cache Scylla download
-      uses: actions/cache@v5
+      uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
       with:
         path: ~/.ccm/repository
         key: scylla-${{ env.SCYLLA_VERSION }}-${{ runner.os }}
diff --git a/.github/workflows/lib-build.yml b/.github/workflows/lib-build.yml
@@ -77,11 +77,11 @@ jobs:
         include: ${{ fromJson(needs.prepare-matrix.outputs.matrix) }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Checkout tag ${{ inputs.target_tag }}
         if: inputs.target_tag != ''
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ inputs.target_tag }}
 
@@ -96,7 +96,7 @@ jobs:
           echo "CIBW_BEFORE_TEST_WINDOWS=(exit 0)" >> $GITHUB_ENV;
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: ${{ inputs.python-version }}
 
@@ -111,7 +111,7 @@ jobs:
 
       - name: Install Conan
         if: runner.os == 'Windows'
-        uses: turtlebrowser/get-conan@main
+        uses: turtlebrowser/get-conan@e41c1e039be765c0ed9d9d38cc2a287566e1d8b3 # v1.2
 
       - name: Configure libev for Windows
         if: runner.os == 'Windows'
@@ -147,7 +147,7 @@ jobs:
         run: |
           CIBW_BUILD="cp3*" cibuildwheel --archs aarch64 --output-dir wheelhouse
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: wheels-${{ matrix.target }}-${{ matrix.os }}
           path: ./wheelhouse/*.whl
@@ -156,17 +156,17 @@ jobs:
     name: Build source distribution
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v8.1.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: ${{ inputs.python-version }}
 
       - name: Build sdist
         run: uv build --sdist
 
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: source-dist
           path: dist/*.tar.gz
diff --git a/.github/workflows/publish-manually.yml b/.github/workflows/publish-manually.yml
@@ -58,11 +58,11 @@ jobs:
     permissions:
       id-token: write
     steps:
-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: dist
           merge-multiple: true
 
-      - uses: pypa/gh-action-pypi-publish@release/v1
+      - uses: pypa/gh-action-pypi-publish@cef2210092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
         with:
           skip-existing: true
diff --git a/renovate.json b/renovate.json
@@ -2,5 +2,12 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchManagers": ["github-actions"],
+      "pinDigests": true,
+      "minimumReleaseAge": "90 days"
+    }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -2,5 +2,12 @@`
`2`	`2`	`"$schema": "https://docs.renovatebot.com/renovate-schema.json",`
`3`	`3`	`"extends": [`
`4`	`4`	`"config:recommended"`
	`5`	`+ ],`
	`6`	`+ "packageRules": [`
	`7`	`+ {`
	`8`	`+ "matchManagers": ["github-actions"],`
	`9`	`+ "pinDigests": true,`
	`10`	`+ "minimumReleaseAge": "90 days"`
	`11`	`+ }`
`5`	`12`	`]`
`6`	`13`	`}`