From 4c3c4805c8b169f59355784fd434ea6aef960a12 Mon Sep 17 00:00:00 2001 From: shamoon <4887959+shamoon@users.noreply.github.com> Date: Sun, 29 Mar 2026 13:04:10 -0700 Subject: [PATCH] Security: pin GitHub Actions to specific SHAs (#6480) --- .github/workflows/crowdin.yml | 4 ++-- .github/workflows/docker-publish.yml | 30 ++++++++++++------------- .github/workflows/docs-publish.yml | 24 ++++++++++---------- .github/workflows/pr-quality.yml | 2 +- .github/workflows/reaction-comments.yml | 2 +- .github/workflows/release-drafter.yml | 4 ++-- .github/workflows/repo-maintenance.yml | 10 ++++----- .github/workflows/test.yml | 8 +++---- 8 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/crowdin.yml b/.github/workflows/crowdin.yml index a841c7b76..68271247d 100644 --- a/.github/workflows/crowdin.yml +++ b/.github/workflows/crowdin.yml @@ -17,9 +17,9 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: crowdin action - uses: crowdin/github-action@v2 + uses: crowdin/github-action@7ca9c452bfe9197d3bb7fa83a4d7e2b0c9ae835d # v2 with: upload_translations: false download_translations: true diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 72ee1c58b..1622fd8df 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -22,24 +22,24 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.x - name: Check files - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5 with: version: 10 run_install: false - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 24 cache: 'pnpm' @@ -62,11 +62,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v6 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6 with: images: | ${{ env.IMAGE_NAME }} @@ -84,7 +84,7 @@ jobs: latest=auto - name: Next.js build cache - uses: actions/cache@v5 + uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5 with: path: .next/cache key: nextjs-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}-${{ hashFiles('**/*.js', '**/*.jsx') }} @@ -92,13 +92,13 @@ jobs: nextjs-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }} - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5 with: version: 10 run_install: false - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 24 cache: 'pnpm' @@ -115,7 +115,7 @@ jobs: - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: registry: ghcr.io username: ${{ github.actor }} @@ -123,20 +123,20 @@ jobs: - name: Login to Docker Hub if: github.event_name != 'pull_request' - uses: docker/login-action@v4 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Setup QEMU - uses: docker/setup-qemu-action@v4.0.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Setup Docker buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4 - name: Build and push Docker image id: build-and-push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7 with: context: . push: ${{ github.event_name != 'pull_request' }} diff --git a/.github/workflows/docs-publish.yml b/.github/workflows/docs-publish.yml index f221b33bc..4a921bb1e 100644 --- a/.github/workflows/docs-publish.yml +++ b/.github/workflows/docs-publish.yml @@ -19,13 +19,13 @@ jobs: runs-on: ubuntu-22.04 steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Install python - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version: 3.x - name: Check files - uses: pre-commit/action@v3.0.1 + uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1 test: name: Test Build Docs @@ -34,12 +34,12 @@ jobs: needs: - pre-commit steps: - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 - run: sudo apt-get install pngquant - name: Test Docs Build run: uv run --frozen zensical build --clean @@ -53,18 +53,18 @@ jobs: needs: - pre-commit steps: - - uses: actions/configure-pages@v5 - - uses: actions/checkout@v6 - - uses: actions/setup-python@v6 + - uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6 with: python-version-file: ".python-version" - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@94527f2e458b27549849d47d273a16bec83a01e9 # v7 - run: sudo apt-get install pngquant - name: Build Docs run: uv run --frozen zensical build --clean - - uses: actions/upload-pages-artifact@v4 + - uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4 with: path: site - - uses: actions/deploy-pages@v4 + - uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4 id: deployment diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml index a0cc6e497..e662a51b7 100644 --- a/.github/workflows/pr-quality.yml +++ b/.github/workflows/pr-quality.yml @@ -13,6 +13,6 @@ jobs: anti-slop: runs-on: ubuntu-latest steps: - - uses: peakoss/anti-slop@v0 + - uses: peakoss/anti-slop@a5a4b2440c9de6f65b64f0718a0136a1fdb04f6f # v0 with: max-failures: 4 diff --git a/.github/workflows/reaction-comments.yml b/.github/workflows/reaction-comments.yml index 2f59dd346..f0f73b516 100644 --- a/.github/workflows/reaction-comments.yml +++ b/.github/workflows/reaction-comments.yml @@ -15,4 +15,4 @@ jobs: action: runs-on: ubuntu-latest steps: - - uses: dessant/reaction-comments@v4 + - uses: dessant/reaction-comments@e86d247c12bd5c043eec379a1a4453f20cadf913 # v4 diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 4d003233f..50e51415e 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -26,14 +26,14 @@ jobs: runs-on: ubuntu-latest steps: - if: github.event_name == 'workflow_dispatch' && github.event.inputs.version != '' - uses: release-drafter/release-drafter@v7 + uses: release-drafter/release-drafter@a6acf82562eee06318b77ab8cb0b11ed81c677a7 # v7 with: config-name: release-drafter.yml version: ${{ github.event.inputs.version }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name != 'workflow_dispatch' || github.event.inputs.version == '' - uses: release-drafter/release-drafter@v7 + uses: release-drafter/release-drafter@a6acf82562eee06318b77ab8cb0b11ed81c677a7 # v7 with: config-name: release-drafter.yml env: diff --git a/.github/workflows/repo-maintenance.yml b/.github/workflows/repo-maintenance.yml index c1466ea8a..8b4435034 100644 --- a/.github/workflows/repo-maintenance.yml +++ b/.github/workflows/repo-maintenance.yml @@ -18,7 +18,7 @@ jobs: name: 'Stale' runs-on: ubuntu-latest steps: - - uses: actions/stale@v10 + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10 with: days-before-stale: 7 days-before-close: 14 @@ -32,7 +32,7 @@ jobs: name: 'Lock Old Threads' runs-on: ubuntu-latest steps: - - uses: dessant/lock-threads@v6 + - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7 # v6 with: issue-inactive-days: '30' pr-inactive-days: '30' @@ -57,7 +57,7 @@ jobs: name: 'Close Answered Discussions' runs-on: ubuntu-latest steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | function sleep(ms) { @@ -113,7 +113,7 @@ jobs: name: 'Close Outdated Discussions' runs-on: ubuntu-latest steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | function sleep(ms) { @@ -204,7 +204,7 @@ jobs: name: 'Close Unsupported Feature Requests' runs-on: ubuntu-latest steps: - - uses: actions/github-script@v8 + - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8 with: script: | function sleep(ms) { diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 07b0cb7a7..153359bd9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -13,13 +13,13 @@ jobs: matrix: shard: [1, 2, 3, 4] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - uses: pnpm/action-setup@v5 + - uses: pnpm/action-setup@a8198c4bff370c8506180b035930dea56dbd5288 # v5 with: version: 9 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6 with: node-version: 20 cache: pnpm @@ -28,7 +28,7 @@ jobs: # Run Vitest directly so `--shard` is parsed as an option - run: pnpm -s exec vitest run --coverage --shard ${{ matrix.shard }}/4 --pool forks - name: Upload coverage reports to Codecov - uses: codecov/codecov-action@v5 + uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5 with: token: ${{ secrets.CODECOV_TOKEN }} files: ./coverage/lcov.info