chore: pin actions to SHA in .github/workflows/build.yml

slawomirbabicz · slawomirbabicz · commit 29dbeeee968a · 2026-04-09T17:06:54.000+02:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -13,15 +13,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4.9.1
         with:
           python-version: "3.10" # Adjust based on your project’s requirements
 
       - name: Install PocketIC server
-        uses: dfinity/pocketic@main
+        uses: dfinity/pocketic@20c33db1aa87cc6ece50857ac632c37acf5e0322 # main
         with:
           pocket-ic-server-version: "13.0.0"
 
@@ -39,7 +39,7 @@ jobs:
           python3 examples/counter_canister/counter_canister_test.py
 
       - name: Install Poetry
-        uses: snok/install-poetry@v1
+        uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a # v1.4.1
         with:
           version: latest
 
@@ -51,14 +51,14 @@ jobs:
 
       - if: matrix.os == 'ubuntu-latest'
         name: Upload wheel file
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pocket_ic_${{ github.sha }}.whl
           path: dist/*.whl
 
       - if: matrix.os == 'ubuntu-latest'
         name: Upload sources
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pocket_ic_${{ github.sha }}.tar.gz
           path: dist/*.tar.gz
@@ -73,11 +73,11 @@ jobs:
     permissions: write-all
 
     steps:
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: pocket_ic_${{ github.sha }}.whl
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           name: pocket_ic_${{ github.sha }}.tar.gz
 
@@ -100,10 +100,10 @@ jobs:
           cp *.tar.gz dist/
 
       - name: upload artifacts to release page
-        uses: softprops/action-gh-release@master
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # master
         with:
           files: |
             ${{ steps.set_name_whl.outputs.artifact_name }}
 
       - name: Publish package distributions to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # release/v1
