From: XhmikosR Date: Wed, 17 Sep 2025 04:34:51 +0000 (+0300) Subject: CI: pin actions X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=44da0697fb3095ac3e5fca8905c790426622ffd3;p=stevenblack-hosts.git CI: pin actions This is considered a better practice security-wise since hashes are immutable. Dependabot handles updating hashes the same way, so there should be no problem updating actions. --- diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 39e34a0ae..1454e0e99 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -39,12 +39,12 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python }} cache: pip diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index db28a9167..9a5555199 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -24,20 +24,20 @@ jobs: steps: - name: Clone repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 with: languages: "python" queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v3 + uses: github/codeql-action/autobuild@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3 with: category: "/language:python" diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 5f2e275ca..3fc9675a7 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -20,15 +20,15 @@ jobs: packages: write steps: - name: Clone repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Log in to the Container registry - uses: docker/login-action@v3 + uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -36,12 +36,12 @@ jobs: - name: Extract metadata (tags, labels) id: meta - uses: docker/metadata-action@v5 + uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push container image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml index 0e7493686..164cda481 100644 --- a/.github/workflows/depsreview.yaml +++ b/.github/workflows/depsreview.yaml @@ -9,9 +9,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Clone repository - uses: actions/checkout@v5 + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - name: Dependency Review - uses: actions/dependency-review-action@v4 + uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3