ci: pin all GitHub Actions to immutable SHAs

CoderDeltaLAN · CoderDeltaLAN · commit 186629d4eef1 · 2025-09-22T10:04:22.000+01:00
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-nodeea5288caeca8642d1e84afbd3f7d6820020@v4
         with: { node-version: "20" }
       - run: npm ci
       # Placeholder para fuzz real; mantener job verde
diff --git a/.github/workflows/ghcr-publish.yml b/.github/workflows/ghcr-publish.yml
@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - uses: docker/setup-buildx-action@v3
-      - uses: docker/login-action@v3
+      - uses: docker/login-actionbdaa0721073962dff0199f1fb9940f07167d1@v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -24,7 +24,7 @@ jobs:
           tags: |
             type=raw,value=latest
             type=ref,event=tag
-      - uses: docker/build-push-action@v6
+      - uses: docker/build-push-actiond21b8e681c14492fe198d362a7d2c83@v6
         with:
           context: .
           push: true
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -9,7 +9,7 @@ jobs:
   label:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeleredcd8ababfe52f92936142cc22ac488b1b@v6
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           sync-labels: true
diff --git a/.github/workflows/release-sbom.yml b/.github/workflows/release-sbom.yml
@@ -20,6 +20,6 @@ jobs:
           format: cyclonedx-json
           output-file: sbom-cyclonedx.json
       - name: Attach SBOM to release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-releasecbd405e2c4e67a21c47fa9e383d020e4e28b836@v2
         with:
           files: sbom-cyclonedx.json
