Merge pull request #493 from fac/devp/pin-action-shas

DuncSmith · web-flow · commit 0fbe6d734b25 · 2025-12-23T12:59:39.000Z
Pin GitHub Actions to specific commit SHAs
diff --git a/.github/workflows/check-pinned-actions.yml b/.github/workflows/check-pinned-actions.yml
@@ -0,0 +1,11 @@
+name: Check actions have their versions pinned
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.yml'
+      - '.github/workflows/*.yaml'
+
+jobs:
+  pinact:
+    uses: fac/shared-workflows/.github/workflows/check_pinned_actions.yml@main
diff --git a/.github/workflows/freeagent-gem.yml b/.github/workflows/freeagent-gem.yml
@@ -10,16 +10,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ruby/setup-ruby@d354de180d0c9e813cfddfcbdc079945d4be589b # v1.275.0
         with:
           bundler-cache: true # bundle install
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.9"
       - name: Setup Poetry # Required for testing but not for building the gem.
-        uses: abatilo/actions-poetry@v3.0.2
+        uses: abatilo/actions-poetry@65c61eae400c65c9510a584af85138c1ae19bbc0 # v3.0.2
         with:
           poetry-version: "1.1.13"
       - run: bundle install
@@ -33,11 +33,11 @@ jobs:
       version: ${{ steps.release-gem.outputs.pushed-version }}
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ruby/setup-ruby@d354de180d0c9e813cfddfcbdc079945d4be589b # v1.275.0
         with:
           bundler-cache: true
-      - uses: fac/ruby-gem-setup-credentials-action@v2
+      - uses: fac/ruby-gem-setup-credentials-action@5f62d5f2f56a11c7422a92f81fbb29af01e1c00f # v2
         with:
           token: ${{ secrets.github_token }}
 
@@ -48,14 +48,14 @@ jobs:
       - name: Release Gem
         id: release-gem
         if: ${{ github.ref == 'refs/heads/main' }}
-        uses: fac/ruby-gem-push-action@v2
+        uses: fac/ruby-gem-push-action@81d77bf568ff6659d7fae0f0c5a036bb0aeacb1a # v2
         with:
           key: github
 
       # PR branch builds will release pre-release gems
       - name: Pre-Release Gem
         if: ${{ github.ref != 'refs/heads/main' }}
-        uses: fac/ruby-gem-push-action@v2
+        uses: fac/ruby-gem-push-action@81d77bf568ff6659d7fae0f0c5a036bb0aeacb1a # v2
         with:
           key: github
           pre-release: true
diff --git a/.github/workflows/push-to-ghcr.yml b/.github/workflows/push-to-ghcr.yml
@@ -18,7 +18,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Build image
         run: |
           docker build . \
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,14 +7,14 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ruby/setup-ruby@d354de180d0c9e813cfddfcbdc079945d4be589b # v1.275.0
       - name: Setup Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
         with:
           python-version: "3.9"
       - name: Setup Poetry
-        uses: abatilo/actions-poetry@v3.0.2
+        uses: abatilo/actions-poetry@65c61eae400c65c9510a584af85138c1ae19bbc0 # v3.0.2
         with:
           poetry-version: "1.1.13"
       - run: bundle install
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: ruby/setup-ruby@v1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ruby/setup-ruby@d354de180d0c9e813cfddfcbdc079945d4be589b # v1.275.0
       - run: bundle install
       - run: bundle exec rubocop
diff --git a/.pinact.yaml b/.pinact.yaml
@@ -0,0 +1,5 @@
+---
+version: 3
+ignore_actions:
+- name: fac/.*
+  ref: "^(main|master)$"
