Pin actions/setup-python to hash

konstin · konstin · commit 2500d8ef8f53 · 2025-08-18T15:59:06.000+02:00
GitHub has recently added support for requiring pinning hashes in actions (https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/). This is more secure - tags can be changed - and prevents CI from breaking on a bad update. The policy applies transitively to all used actions, which breaks this action when the policy is enabled (https://github.com/astral-sh/uv/actions/runs/17008660079/job/48221734296). This PR switches to using a hash for the action. If desired, renovate can be configured to update the hash (`pinDigests: true`)
diff --git a/action.yml b/action.yml
@@ -139,7 +139,7 @@ runs:
   - name: Install Python 3
     if: steps.pre-installed-python.outputs.python-path == ''
     id: new-python
-    uses: actions/setup-python@v5
+    uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
     with:
       python-version: 3.x
   - name: Create Docker container action
