From 97391059154a2f4bb5f7658119897ca5213664fc Mon Sep 17 00:00:00 2001 From: Thomas Bray <87775189+MTG-Thomas@users.noreply.github.com> Date: Wed, 27 May 2026 13:16:03 -0400 Subject: [PATCH] chore(ci): pin GitHub Actions references to SHAs --- .github/workflows/deploy-winget.yml | 10 +++++----- .github/workflows/initial-deploy.yml | 6 +++--- .github/workflows/release-msi.yml | 8 ++++---- .github/workflows/release.yml | 26 +++++++++++++------------- 4 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/deploy-winget.yml b/.github/workflows/deploy-winget.yml index a7d412b..b37ed57 100644 --- a/.github/workflows/deploy-winget.yml +++ b/.github/workflows/deploy-winget.yml @@ -15,10 +15,10 @@ jobs: name: Deploy to Azure Static Web Apps runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js (for SWA CLI) - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' @@ -26,7 +26,7 @@ jobs: run: npm install -g @azure/static-web-apps-cli - name: Download release artifacts - uses: robinraju/release-downloader@v1.8 + uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # v1.8 with: latest: true fileName: "work-context-sync.msi" @@ -59,7 +59,7 @@ jobs: cp -r winget-repo/manifests winget-repo/_site/ - name: Deploy to Azure SWA - uses: Azure/static-web-apps-deploy@v1 + uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1 with: azure_static_web_apps_api_token: ${{ secrets.AZURE_SWA_DEPLOYMENT_TOKEN }} repo_token: ${{ secrets.GITHUB_TOKEN }} @@ -68,7 +68,7 @@ jobs: skip_app_build: true - name: Comment on release - uses: actions/github-script@v7 + uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7 with: script: | const release = context.payload.release; diff --git a/.github/workflows/initial-deploy.yml b/.github/workflows/initial-deploy.yml index 43dc9e7..78fc10a 100644 --- a/.github/workflows/initial-deploy.yml +++ b/.github/workflows/initial-deploy.yml @@ -8,10 +8,10 @@ jobs: name: Deploy to Azure Static Web Apps runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node.js (for SWA CLI) - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' @@ -29,7 +29,7 @@ jobs: cp -r winget-repo/manifests winget-repo/_site/ - name: Deploy to Azure SWA - uses: Azure/static-web-apps-deploy@v1 + uses: Azure/static-web-apps-deploy@1a947af9992250f3bc2e68ad0754c0b0c11566c9 # v1 with: azure_static_web_apps_api_token: ${{ secrets.AZURE_SWA_DEPLOYMENT_TOKEN }} repo_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-msi.yml b/.github/workflows/release-msi.yml index 08bcadd..9a118b8 100644 --- a/.github/workflows/release-msi.yml +++ b/.github/workflows/release-msi.yml @@ -16,7 +16,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set package version id: version @@ -36,12 +36,12 @@ jobs: "value=$version" >> $env:GITHUB_OUTPUT - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.10" - name: Set up .NET - uses: actions/setup-dotnet@v4 + uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4 with: dotnet-version: "8.0.x" @@ -77,7 +77,7 @@ jobs: - name: Upload workflow artifact if: github.event_name != 'release' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: work-context-sync-msi path: dist/work-context-sync.msi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5327323..c9fcb9a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,10 +16,10 @@ jobs: name: Build Python Wheel runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' @@ -32,7 +32,7 @@ jobs: run: python -m build --wheel - name: Upload wheel artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: wheel path: dist/*.whl @@ -41,10 +41,10 @@ jobs: name: Build Windows Executable runs-on: windows-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: '3.11' @@ -59,7 +59,7 @@ jobs: pyinstaller work-context-sync.spec --clean --noconfirm - name: Upload executable artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: windows-exe path: dist/work-context-sync.exe @@ -69,7 +69,7 @@ jobs: Compress-Archive -Path "dist/work-context-sync.exe","config.example.json","README.md" -DestinationPath "dist/work-context-sync-windows.zip" - name: Upload ZIP artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: windows-zip path: dist/work-context-sync-windows.zip @@ -79,10 +79,10 @@ jobs: runs-on: windows-latest needs: build-windows-exe steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Download executable - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: windows-exe path: dist/ @@ -97,7 +97,7 @@ jobs: wix build -o dist/work-context-sync.msi installer/wix/work-context-sync.wxs - name: Upload MSI artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: windows-msi path: dist/work-context-sync.msi @@ -109,10 +109,10 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Download all artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: path: artifacts/ @@ -122,7 +122,7 @@ jobs: - name: Create Release id: create_release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@26994186c0ac3ef5cae75ac16aa32e8153525f77 # v1 with: name: Release ${{ github.ref_name || github.event.inputs.version }} draft: false