chore: pin shas (lerna#4230)

Author: JamesHenry

.github/actions/install-node-and-dependencies/action.yml

@@ -13,7 +13,7 @@ runs:
   using: "composite"
   steps:
     - name: Install node and npm based on the given values (or the volta config in package.json)
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
       with:
         node-version-file: ${{ inputs.node-version == '' && 'package.json' || '' }}
         node-version: ${{ inputs.node-version }}

.github/workflows/ci.yml

@@ -27,11 +27,11 @@ jobs:
     env:
       NX_CI_EXECUTION_ENV: "linux"
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
 
-      - uses: nrwl/nx-set-shas@v4
+      - uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4
 
       - name: Start Nx Cloud CI Run - Linux
         run: npx nx-cloud start-ci-run --stop-agents-after="e2e"
@@ -40,7 +40,7 @@ jobs:
         uses: ./.github/actions/install-node-and-dependencies
 
       - name: Run parallel distributed tasks
-        uses: jameshenry/parallel-bash-commands@v1
+        uses: jameshenry/parallel-bash-commands@943dfd1eebfab8bbf19782c47a85c9ca7e8d245c # v1
         with:
           cmd1: npx nx-cloud record -- npx nx format:check
           cmd2: npx nx run-many -t build --parallel=3
@@ -65,7 +65,7 @@ jobs:
       matrix:
         agent: [1, 2, 3, 4]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Configure git metadata
         run: |
@@ -130,7 +130,7 @@ jobs:
       TEMP: C:\temp
       TMP: C:\temp
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Start Nx Cloud CI Run - Windows
         run: npx nx-cloud start-ci-run --stop-agents-after="test"
@@ -174,7 +174,7 @@ jobs:
       TEMP: C:\temp
       TMP: C:\temp
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Configure git metadata
         run: |
@@ -199,12 +199,12 @@ jobs:
       NX_CI_EXECUTION_ENV: "linux"
       NX_CLOUD_DISTRIBUTED_EXECUTION: false
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
 
       - name: Derive appropriate SHAs for base and head for `nx affected` commands
-        uses: nrwl/nx-set-shas@v4
+        uses: nrwl/nx-set-shas@826660b82addbef3abff5fa871492ebad618c9e1 # v4
 
       - name: Configure git metadata
         run: |

.github/workflows/other-node-versions.yml

@@ -47,7 +47,7 @@ jobs:
       matrix:
         node: ${{ fromJson(needs.set-node-versions.outputs.node-versions) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           fetch-depth: 0
 
@@ -112,7 +112,7 @@ jobs:
       #     git config --global user.signingkey $GPG_KEY_ID
 
       - name: Run parallel distributed builds and tests on each node version
-        uses: jameshenry/parallel-bash-commands@v1
+        uses: jameshenry/parallel-bash-commands@943dfd1eebfab8bbf19782c47a85c9ca7e8d245c # v1
         with:
           cmd1: npx nx run-many -t build --parallel=3
           cmd2: npx nx run-many -t test --parallel=3 --ci --maxWorkers=2
@@ -162,7 +162,7 @@ jobs:
         # Create 4 agents per node version
         agent: [1, 2, 3, 4]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
 
       - name: Configure git metadata
         run: |

.github/workflows/pkg-pr-new.yml

@@ -36,20 +36,20 @@ jobs:
         run: echo "${{ github.event.pull_request.html_url }}"
 
       # Check out the PR branch HEAD as a shallow clone
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
         with:
           persist-credentials: false
 
       - name: Install Node.js per package.json
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           # Use the volta.node property as the source of truth
           node-version-file: "package.json"
           # Disable caching given this workflow could be run on forks (security risk)
           package-manager-cache: false
 
       - name: Check PR branch HEAD has not changed since review comment
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |

.github/workflows/website-deploy.yml

@@ -21,29 +21,35 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 20
-          cache: npm
+
       - name: Install dependencies
         run: npm ci --omit=optional
+
       - name: Test build website
         run: npm run build
+
   deploy:
-    if: github.event_name != 'pull_request'
+    if: github.repository == 'lerna/lerna' && github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: webfactory/[email protected]
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+
+      - uses: webfactory/ssh-agent@fc49353b67b2b7c1e0e6a600572d01a69f2672dd # v0.5.4
         with:
           ssh-private-key: ${{ secrets.GH_PAGES_DEPLOY }}
-      - uses: actions/setup-node@v4
+
+      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
         with:
           node-version: 20
-          cache: npm
+
       - name: Install dependencies
         run: npm ci --omit=optional
+
       - name: Deploy to lerna/website
         env:
           USE_SSH: true