From f4999c46fa10860036d807a1c76d1eac693f326b Mon Sep 17 00:00:00 2001 From: Thomas Piccirello Date: Wed, 20 May 2026 22:35:33 -0700 Subject: [PATCH] chore: pin github actions to sha --- .github/actions/setup/action.yml | 4 ++-- .github/workflows/ci.yml | 12 ++++++------ .github/workflows/codeql.yml | 8 ++++---- .github/workflows/publish-pub-dev.yml | 14 +++++++------- .github/workflows/publish.yml | 16 ++++++++-------- .github/workflows/stale.yaml | 2 +- 6 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 4ece9a6e..94cd2983 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -16,10 +16,10 @@ runs: channel: 'stable' - name: Setup pnpm - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4 + uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version-file: .nvmrc cache: 'pnpm' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 86fc4f72..474be5cb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -20,7 +20,7 @@ jobs: lint: runs-on: macos-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: dart-lang/setup-dart@65eb853c7ba17dde3be364c3d2858773e7144260 # v1.7.2 - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 @@ -43,7 +43,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: @@ -70,7 +70,7 @@ jobs: - target: macos build_command: flutter build macos steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: @@ -97,10 +97,10 @@ jobs: build-android: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: 'Set up Java' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 17 distribution: 'temurin' @@ -121,7 +121,7 @@ jobs: build-web: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2.23.0 with: diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 70715750..b6f38079 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -30,7 +30,7 @@ jobs: runner: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup Flutter (Swift) if: matrix.language == 'swift' @@ -50,7 +50,7 @@ jobs: - name: Setup Java (Java/Kotlin) if: matrix.language == 'java-kotlin' - uses: actions/setup-java@v5 + uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: 17 distribution: 'temurin' @@ -66,7 +66,7 @@ jobs: run: flutter pub get - name: Initialize CodeQL - uses: github/codeql-action/init@v4 + uses: github/codeql-action/init@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -87,6 +87,6 @@ jobs: xcodebuild -workspace Runner.xcworkspace -scheme Runner -sdk iphonesimulator -destination 'generic/platform=iOS Simulator' build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v4 + uses: github/codeql-action/analyze@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5 with: category: '/language:${{matrix.language}}' diff --git a/.github/workflows/publish-pub-dev.yml b/.github/workflows/publish-pub-dev.yml index e794f864..3e4bb825 100644 --- a/.github/workflows/publish-pub-dev.yml +++ b/.github/workflows/publish-pub-dev.yml @@ -20,7 +20,7 @@ jobs: id-token: write # Required for authentication using OIDC steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: ${{ github.ref }} fetch-depth: 0 @@ -95,7 +95,7 @@ jobs: # Notify in case of failure - name: Send failure event to PostHog if: ${{ failure() }} - uses: PostHog/posthog-github-action@v1 + uses: PostHog/posthog-github-action@58dea254b598fb5d469c0699c98af8288a7f7650 # v1.2.0 with: posthog-token: '${{ secrets.POSTHOG_PROJECT_API_KEY }}' event: 'posthog-flutter-release-workflow-failure' @@ -110,7 +110,7 @@ jobs: - name: Restore Slack thread_ts from cache if: ${{ failure() }} id: restore-thread-ts-for-failure - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .slack-thread-ts key: slack-thread-ts-${{ steps.get-version.outputs.version }} @@ -127,7 +127,7 @@ jobs: - name: Notify Slack - Failed continue-on-error: true if: ${{ failure() && steps.slack-thread-for-failure.outputs.thread_ts != '' }} - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} @@ -149,7 +149,7 @@ jobs: - name: Restore Slack thread_ts from cache id: restore-thread-ts - uses: actions/cache/restore@v5 + uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .slack-thread-ts key: slack-thread-ts-${{ steps.get-version.outputs.version }} @@ -169,7 +169,7 @@ jobs: - name: Notify Slack - Released if: needs.publish.result == 'success' continue-on-error: true - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} @@ -180,7 +180,7 @@ jobs: - name: Notify Slack - Failed if: needs.publish.result == 'failure' continue-on-error: true - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f7958049..2814c04a 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,7 +23,7 @@ jobs: has-changesets: ${{ steps.check.outputs.has-changesets }} steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main fetch-depth: 0 @@ -44,7 +44,7 @@ jobs: name: Notify Slack - Approval Needed needs: check-changesets if: needs.check-changesets.outputs.has-changesets == 'true' - uses: PostHog/.github/.github/workflows/notify-approval-needed.yml@main + uses: PostHog/.github/.github/workflows/notify-approval-needed.yml@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} slack_user_group_id: ${{ vars.GROUP_CLIENT_LIBRARIES_SLACK_GROUP_ID }} @@ -67,7 +67,7 @@ jobs: steps: - name: Notify Slack - Approved continue-on-error: true - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} @@ -77,13 +77,13 @@ jobs: - name: Get GitHub App token id: releaser - uses: actions/create-github-app-token@v3 + uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 with: client-id: ${{ secrets.GH_APP_POSTHOG_FLUTTER_RELEASER_APP_ID }} private-key: ${{ secrets.GH_APP_POSTHOG_FLUTTER_RELEASER_PRIVATE_KEY }} - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: ref: main fetch-depth: 0 @@ -146,7 +146,7 @@ jobs: - name: Cache Slack thread_ts for publish workflow if: steps.commit-version-bump.outputs.commit-hash != '' - uses: actions/cache/save@v5 + uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: .slack-thread-ts key: slack-thread-ts-${{ steps.apply-changesets.outputs.new-version }} @@ -163,7 +163,7 @@ jobs: - name: Notify Slack - Failed continue-on-error: true if: ${{ failure() && needs.notify-approval-needed.outputs.slack_ts != '' }} - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} @@ -203,7 +203,7 @@ jobs: - name: Notify Slack - Rejected if: steps.check-rejection.outputs.was_rejected == 'true' continue-on-error: true - uses: PostHog/.github/.github/actions/slack-thread-reply@main + uses: PostHog/.github/.github/actions/slack-thread-reply@d2e7c952fef6a22b2210bcffc70bec71abeeba03 with: slack_bot_token: ${{ secrets.SLACK_CLIENT_LIBRARIES_BOT_TOKEN }} slack_channel_id: ${{ vars.SLACK_APPROVALS_CLIENT_LIBRARIES_CHANNEL_ID }} diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index 8fe59a84..a1f6b43b 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -25,7 +25,7 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - - uses: actions/stale@v10 + - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 if: steps.holiday.outputs.skip != 'true' with: days-before-issue-stale: 730