ci: github: Pin actions with sha as version

rzr · rzr · commit 1e579f804f76 · 2025-05-21T16:17:15.000+02:00
This practice prevent actions tags to be replaced (potenially maliciously) Note 2 spaces are added before comments to pass yamlint, please keep this consistant for machine parsing. Origin: #103 Relate-to: #67 Relate-to: https://c.s.c/x/fra7Jg Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/.github/workflows/build-rootfs.yml b/.github/workflows/build-rootfs.yml
@@ -16,7 +16,8 @@ jobs:
           - arm64
           # - armhf # TODO Enable when supported
     steps:
-      - uses: actions/checkout@v4.2.2
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
           # Relate-to: https://github.com/actions/checkout/pull/2081#2025
@@ -34,7 +35,8 @@ jobs:
           UNIFYSDK_GIT_TAG=${{ secrets.UNIFYSDK_GIT_TAG }}
           ./scripts/build-rootfs.sh
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           # yamllint disable-line rule:line-length
           name: ${{ github.event.repository.name }}-${{ steps.describe.outputs.describe }}-${{ matrix.arch }}
@@ -47,8 +49,10 @@ jobs:
         id: upload-release-asset
         env:
           token-defined: ${{ secrets.GH_UNIFY_ACCESS_TOKEN != '' }}
+        # yamllint disable-line rule:line-length
         if: ${{ env.token-defined == true && startsWith(github.ref, 'refs/tags/') }}
-        uses: softprops/action-gh-release@v2
+        # yamllint disable-line rule:line-length
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631  # v2.2.2
         with:
           files: build/dist/*
           # yamllint disable-line rule:line-length
@@ -57,7 +61,8 @@ jobs:
       - name: Upload pages artifact
         id: deployment
         if: startsWith(github.ref, 'refs/tags/') && matrix.arch == 'amd64'
-        uses: actions/upload-pages-artifact@v3.0.1
+        # yamllint disable-line rule:line-length
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa  # v3.0.1
         with:
           path: docs/
   deploy:
@@ -72,5 +77,6 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e  # v4.0.5
         if: startsWith(github.ref, 'refs/tags/')
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -14,7 +14,8 @@ jobs:
       project-name: z-wave-protocol-controller  # Align to docker (lowercase)
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4.1.1
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
       - id: describe
@@ -37,7 +38,8 @@ jobs:
           df -h
 
       - name: Upload container image
-        uses: ishworkh/container-image-artifact-upload@v2.0.0
+        # yamllint disable-line rule:line-length
+        uses: ishworkh/container-image-artifact-upload@5d71a2417f0576fa11fe770fb04ece58c4587714  # v2.0.0
         with:
           image: "${{ env.project-name }}:latest"
           retention_days: 10
@@ -48,7 +50,8 @@ jobs:
           && docker cp
           ${container}:/usr/local/opt/${{ env.project-name }}/dist .
       - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        # yamllint disable-line rule:line-length
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           # yamllint disable-line
           name: ${{ github.event.repository.name }}-${{ steps.describe.outputs.describe }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -22,20 +22,23 @@ jobs:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
       - name: Download image
-        uses: ishworkh/container-image-artifact-download@v2.0.0
+        # yamllint disable-line rule:line-length
+        uses: ishworkh/container-image-artifact-download@ccb3671db007622e886a2d7037eb62b119d5ffaf  # v2.0.0
         with:
           image: "${{ env.project-name }}:latest"
           workflow: "build"
           token: ${{ secrets.GH_SL_ACCESS_TOKEN }}
           workflow_run_id: ${{ github.event.workflow_run.id }}
 
-      - uses: actions/checkout@v4.1.1
+      # yamllint disable-line rule:line-length
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
           ref: ${{ github.event.workflow_run.head_commit.id }}
 
       - name: Download embedded applications package
-        uses: robinraju/release-downloader@v1.12
+        # yamllint disable-line rule:line-length
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05  # v1.12
         with:
           repository: 'Z-Wave-Alliance/z-wave-stack-binaries'
           tag: 'v25.1.0-28-g7e0b50f'
@@ -74,7 +77,8 @@ jobs:
         continue-on-error: true
 
       - name: Propagate run status to commit status
-        uses: actions/github-script@v7
+        # yamllint disable-line rule:line-length
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea  # v7.0.1
         if: always()
         env:
           status: ${{ steps.run.outcome }}
