chore(deps): pin dependencies (#6627)

renovate[bot] · web-flow · commit 16b0e139897e · 2025-03-19T17:44:39.000+02:00
Co-authored-by: renovate[bot] &lt;29139614+renovate[bot]@users.noreply.github.com&gt;
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -38,12 +38,12 @@ runs:
         fi
 
     - name: install pnpm
-      uses: pnpm/action-setup@v4.0.0
+      uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
       with:
         version: ${{ steps.pnpm.outputs.version }}
 
     - name: install nodejs
-      uses: actions/setup-node@v4.1.0
+      uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
       with:
         node-version-file: .node-version
         cache: ${{ steps.pnpm.outputs.cache }}
diff --git a/.github/workflows/apollo-router-release.yaml b/.github/workflows/apollo-router-release.yaml
@@ -37,7 +37,7 @@ jobs:
       release_version: ${{ steps.find_changes.outputs.release_version }}
       release_latest: ${{ steps.find_changes.outputs.release_latest }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/apollo-router-updater.yaml b/.github/workflows/apollo-router-updater.yaml
@@ -15,7 +15,7 @@ jobs:
       contents: write
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 1
 
@@ -26,7 +26,7 @@ jobs:
           actor: apollo-router-updater
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1
         with:
           toolchain: '1.84.1'
           default: true
@@ -43,7 +43,7 @@ jobs:
 
       - name: Create Pull Request
         if: steps.check.outputs.update == 'true'
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           commit-message: Update apollo-router to version ${{ steps.check.outputs.version }}
diff --git a/.github/workflows/build-and-dockerize.yaml b/.github/workflows/build-and-dockerize.yaml
@@ -51,7 +51,7 @@ jobs:
       pull-requests: write
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
@@ -69,7 +69,7 @@ jobs:
         if: ${{ inputs.build }}
         run: pnpm turbo check:build
 
-      - uses: vimtor/action-zip@v1
+      - uses: vimtor/action-zip@5f1c4aa587ea41db1110df6a99981dbe19cee310 # v1
         name: archive javascript artifacts
         if: ${{ inputs.uploadJavaScriptArtifacts }}
         with:
@@ -81,7 +81,7 @@ jobs:
 
       - name: upload artifact
         if: ${{ inputs.uploadJavaScriptArtifacts }}
-        uses: randomairborne/r2-release@v1.0.2
+        uses: randomairborne/r2-release@9cbc35a2039ee2ef453a6988cd2a85bb2d7ba8af # v1.0.2
         with:
           endpoint: https://6d5bc18cd8d13babe7ed321adba3d8ae.r2.cloudflarestorage.com
           accesskeyid: ${{ secrets.R2_ACCESS_KEY_ID }}
@@ -91,7 +91,7 @@ jobs:
           destination: ${{ inputs.imageTag }}.zip
 
       - name: upload app persisted documents artifact
-        uses: randomairborne/r2-release@v1.0.2
+        uses: randomairborne/r2-release@9cbc35a2039ee2ef453a6988cd2a85bb2d7ba8af # v1.0.2
         with:
           endpoint: https://6d5bc18cd8d13babe7ed321adba3d8ae.r2.cloudflarestorage.com
           accesskeyid: ${{ secrets.R2_ACCESS_KEY_ID }}
@@ -101,7 +101,7 @@ jobs:
           destination: ${{ inputs.imageTag }}.app.documents.json
 
       - name: upload graphql schema
-        uses: randomairborne/r2-release@v1.0.2
+        uses: randomairborne/r2-release@9cbc35a2039ee2ef453a6988cd2a85bb2d7ba8af # v1.0.2
         with:
           endpoint: https://6d5bc18cd8d13babe7ed321adba3d8ae.r2.cloudflarestorage.com
           accesskeyid: ${{ secrets.R2_ACCESS_KEY_ID }}
@@ -112,17 +112,17 @@ jobs:
 
       - name: configure docker buildx
         if: ${{ inputs.dockerize }}
-        uses: docker/setup-buildx-action@v3.8.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: login to docker registry
         if: ${{ inputs.dockerize }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ${{ inputs.registry }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: frabert/replace-string-action@v2.5
+      - uses: frabert/replace-string-action@b6828c5a4cb6371753ff873b0d1c4c4fbd9a63cb # v2.5
         id: branch_name_fix
         name: sanitize branch name
         if: ${{ inputs.dockerize }}
@@ -132,7 +132,7 @@ jobs:
           string: ${{ github.head_ref || github.ref_name }}
           replace-with: '_'
 
-      - uses: frabert/replace-string-action@v2.5
+      - uses: frabert/replace-string-action@b6828c5a4cb6371753ff873b0d1c4c4fbd9a63cb # v2.5
         id: docker_cache_key
         name: build cache key
         if: ${{ inputs.dockerize }}
@@ -146,7 +146,7 @@ jobs:
         timeout-minutes: 60
         id: docker-bake
         if: ${{ inputs.dockerize }}
-        uses: docker/bake-action@v6.0.0
+        uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0
         env:
           DOCKER_REGISTRY: ${{ inputs.registry }}/${{ inputs.imageName }}/
           COMMIT_SHA: ${{ inputs.imageTag }}
@@ -169,7 +169,7 @@ jobs:
             *.cache-to=type=gha,mode=max,ignore-error=true,scope=${{ steps.docker_cache_key.outputs.replaced }}
 
       - name: docker details pr comment
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@52423e01640425a022ef5fd42c6fb5f633a02728 # v2
         if:
           ${{ inputs.dockerize && github.event_name == 'pull_request' && inputs.publishPrComment }}
         with:
@@ -208,16 +208,16 @@ jobs:
     name: publish multiarch manifest
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
       - name: configure docker buildx
-        uses: docker/setup-buildx-action@v3.8.0
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
 
       - name: login to docker registry
         if: ${{ inputs.dockerize }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ${{ inputs.registry }}
           username: ${{ github.actor }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -17,15 +17,15 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: initialize
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
         with:
           languages: ${{ matrix.language }}
 
       - name: autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
 
       - name: analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3
diff --git a/.github/workflows/db-types-diff.yaml b/.github/workflows/db-types-diff.yaml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: setup environment
         uses: ./.github/actions/setup
diff --git a/.github/workflows/dockerize-cli.yaml b/.github/workflows/dockerize-cli.yaml
@@ -24,17 +24,17 @@ jobs:
       pull-requests: write
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
       - name: configure eqemu
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
         with:
           platforms: 'linux/arm64,linux/amd64'
       - name: configure docker buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: login to docker registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         with:
           registry: ${{ inputs.registry }}
           username: ${{ github.actor }}
@@ -60,7 +60,7 @@ jobs:
       - name: build docker images
         timeout-minutes: 360
         id: docker-bake
-        uses: docker/bake-action@v6.0.0
+        uses: docker/bake-action@5ca506d06f70338a4968df87fd8bfee5cbfb84c7 # v6.0.0
         env:
           DOCKER_REGISTRY: ${{ inputs.registry }}/${{ inputs.imageName }}/
           COMMIT_SHA: ${{ inputs.cliVersion }}
diff --git a/.github/workflows/graphql-schema-check.yaml b/.github/workflows/graphql-schema-check.yaml
@@ -21,7 +21,7 @@ jobs:
     if: needs.search-token.outputs.hive_token_present == 'true'
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/graphql-schema-publish.yaml b/.github/workflows/graphql-schema-publish.yaml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -7,7 +7,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
@@ -20,7 +20,7 @@ jobs:
         run: pnpm lint:env-template
 
       - name: Cache ESLint and Prettier
-        uses: actions/cache@v4
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
         with:
           path: |
             .eslintcache
diff --git a/.github/workflows/open-source-summary.yaml b/.github/workflows/open-source-summary.yaml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 1
 
diff --git a/.github/workflows/pr-closed.yaml b/.github/workflows/pr-closed.yaml
@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Cleanup
         run: |
diff --git a/.github/workflows/prettier.yaml b/.github/workflows/prettier.yaml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
           ref: ${{ github.event.inputs.branch }}
@@ -27,7 +27,7 @@ jobs:
           actor: prettier
 
       - name: Cache ESLint and Prettier
-        uses: actions/cache@v4
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
         with:
           path: |
             .eslintcache
diff --git a/.github/workflows/publish-rust.yaml b/.github/workflows/publish-rust.yaml
@@ -21,7 +21,7 @@ jobs:
       rust_changed: ${{ steps.rust_changed.outputs.rust_changed }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
       - name: Look for changes
@@ -44,7 +44,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
@@ -82,7 +82,7 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Install Rust
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1
         with:
           toolchain: '1.84.1'
           target: ${{ env.RUST_TARGET }}
@@ -94,10 +94,10 @@ jobs:
           rustup default 1.84.1-${{ env.RUST_TARGET }}
 
       - name: Cache Rust
-        uses: Swatinem/rust-cache@v2
+        uses: Swatinem/rust-cache@9d47c6ad4b02e050fd481d890b2ea34778fd09d6 # v2
 
       - name: Build
-        uses: actions-rs/cargo@v1
+        uses: actions-rs/cargo@844f36862e911db73fe0815f00a4a2602c279505 # v1
         with:
           command: build
           args: --release
@@ -118,7 +118,7 @@ jobs:
 
       - name: Upload to R2 (${{ inputs.version }})
         if: ${{ inputs.publish }}
-        uses: randomairborne/r2-release@v1.0.2
+        uses: randomairborne/r2-release@9cbc35a2039ee2ef453a6988cd2a85bb2d7ba8af # v1.0.2
         with:
           endpoint: https://6d5bc18cd8d13babe7ed321adba3d8ae.r2.cloudflarestorage.com
           accesskeyid: ${{ secrets.R2_ACCESS_KEY_ID }}
@@ -129,7 +129,7 @@ jobs:
 
       - name: Upload to R2 (latest)
         if: ${{ inputs.publish && inputs.latest }}
-        uses: randomairborne/r2-release@v1.0.2
+        uses: randomairborne/r2-release@9cbc35a2039ee2ef453a6988cd2a85bb2d7ba8af # v1.0.2
         with:
           endpoint: https://6d5bc18cd8d13babe7ed321adba3d8ae.r2.cloudflarestorage.com
           accesskeyid: ${{ secrets.R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/release-alpha.yaml b/.github/workflows/release-alpha.yaml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/release-stable.yaml b/.github/workflows/release-stable.yaml
@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -56,7 +56,7 @@ jobs:
 
       - name: publish stable
         id: changesets
-        uses: changesets/action@v1.4.9
+        uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1.4.9
         with:
           publish: pnpm release
           version: pnpm release:version
diff --git a/.github/workflows/storybook.yaml b/.github/workflows/storybook.yaml
@@ -6,7 +6,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/tests-db-migrations.yaml b/.github/workflows/tests-db-migrations.yaml
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 2
 
diff --git a/.github/workflows/tests-e2e.yaml b/.github/workflows/tests-e2e.yaml
diff --git a/.github/workflows/tests-integration.yaml b/.github/workflows/tests-integration.yaml
diff --git a/.github/workflows/tests-unit.yaml b/.github/workflows/tests-unit.yaml
diff --git a/.github/workflows/typescript-typecheck.yaml b/.github/workflows/typescript-typecheck.yaml
diff --git a/.github/workflows/website.yaml b/.github/workflows/website.yaml
