Pin 3rd party GH actions to commit SHA1 while keeping standard actions pointing to exact versions.

yruslan · yruslan · commit 9f4d937e5d5b · 2026-01-14T10:13:29.000+01:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -35,11 +35,9 @@ jobs:
     name: Spark ${{matrix.spark}} on Scala ${{matrix.scala}}
     steps:
       - name: Checkout code
-        # gh api repos/actions/checkout/commits/v6.0.2 --jq '.sha'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@v6.0.2
       - name: Setup JDK
-        # gh api repos/actions/setup-java/commits/v5.1.0 --jq '.sha'
-        uses:  actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e
+        uses: actions/setup-java@v5.1.0
         with:
           distribution: temurin
           java-version: 8
diff --git a/.github/workflows/fossa.yml b/.github/workflows/fossa.yml
@@ -19,6 +19,7 @@ jobs:
         uses: actions/checkout@v6.0.2
 
       - name: Run FOSSA scan and upload build data
-        uses: fossa-contrib/fossa-action@v3.0.1
+        # gh api repos/fossa-contrib/fossa-action/commits/v3.0.1 --jq '.sha'
+        uses: fossa-contrib/fossa-action@3d2ef181b1820d6dcd1972f86a767d18167fa19b
         with:
           fossa-api-key: ${{secrets.FOSSA_API_KEY}}
diff --git a/.github/workflows/jacoco_check.yml b/.github/workflows/jacoco_check.yml
@@ -60,7 +60,8 @@ jobs:
         run: sbt ++${{matrix.scala}} jacoco -DSPARK_VERSION=${{matrix.spark}}
       - name: Add coverage of 'cobol-parser' to PR
         id: jacocoParser
-        uses: madrapps/jacoco-report@v1.7.2
+        # gh api repos/madrapps/jacoco-report/commits/v1.7.2 --jq '.sha'
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: >
             ${{ github.workspace }}/cobol-parser/target/scala-${{ matrix.scalaShort }}/jacoco/report/jacoco.xml
@@ -75,7 +76,8 @@ jobs:
           echo "Changed Files coverage ${{ steps.jacoco.outputs.coverage-changed-files }}"
       - name: Add coverage of 'spark-cobol' to PR
         id: jacoco
-        uses: madrapps/jacoco-report@v1.7.2
+        # gh api repos/madrapps/jacoco-report/commits/v1.7.2 --jq '.sha'
+        uses: madrapps/jacoco-report@50d3aff4548aa991e6753342d9ba291084e63848
         with:
           paths: >
             ${{ github.workspace }}/spark-cobol/target/scala-${{ matrix.scalaShort }}/jacoco/report/jacoco.xml
