ci: pin all GitHub actions by hash

anujm1 · anujm1 · commit 16ace557dd08 · 2026-03-05T20:21:34.000+05:30
GitHub [1] and zizmor [2] recommend that actions, especially third party actions, should be pinned by hash instead of tags since tags are mutable and can introduce vulnerabilities if a malicious actor gains access to the action repository [3]. Change all actions to use hash instead of tag. [1] https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions [2] https://docs.zizmor.sh/audits/#unpinned-uses [3] https://nvd.nist.gov/vuln/detail/cve-2025-30066 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
diff --git a/.github/actions/lava-test-plans/action.yml b/.github/actions/lava-test-plans/action.yml
@@ -23,7 +23,7 @@ inputs:
 runs:
   using: "composite"
   steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           repository: qualcomm-linux/lava-test-plans
diff --git a/.github/workflows/build-yocto.yml b/.github/workflows/build-yocto.yml
@@ -34,7 +34,7 @@ jobs:
           wget -qO ${KAS_CONTAINER} https://raw.githubusercontent.com/siemens/kas/refs/tags/$LATEST/kas-container
           chmod +x ${KAS_CONTAINER}
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -43,13 +43,13 @@ jobs:
           ${KAS_CONTAINER} lock --update ci/base.yml:ci/qcom-distro.yml
 
       - name: Upload kas lockfile
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: kas-lockfile
           path: ci/*.lock.yml
 
       - name: Upload kas-container
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
         with:
           name: kas-container
           path: ${{ env.KAS_CONTAINER }}
@@ -59,18 +59,18 @@ jobs:
     if: github.repository_owner == 'qualcomm-linux'
     runs-on: [self-hosted, qcom-u2404, amd64]
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Download kas lockfile
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: kas-lockfile
           path: ci
 
       - name: Download kas-container
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: kas-container
           path: ${{ runner.temp }}
@@ -120,7 +120,7 @@ jobs:
             yamlfile: ":ci/linux-qcom-rt-6.18.yml:ci/qcom-distro-kvm.yml"
     name: ${{ matrix.machine }}/${{ matrix.distro.name }}${{ matrix.kernel.dirname }}
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -243,7 +243,7 @@ jobs:
                 yamlfile: ":ci/linux-qcom-6.18.yml:ci/u-boot-qcom.yml"
     name: ${{ matrix.machine }}/${{ matrix.distro.name }}${{ matrix.kernel.dirname }}
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -264,7 +264,7 @@ jobs:
     runs-on: [self-hosted, qcom-u2404, amd64]
     steps:
       - name: 'Download build URLs'
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           pattern: build-url*
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Upload
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6
       with:
         name: Event File
         path: ${{ github.event_path }}
diff --git a/.github/workflows/publish-results.yml b/.github/workflows/publish-results.yml
@@ -28,15 +28,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download result files
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
             run-id: ${{ inputs.workflow_id }}
             path: artifacts
             github-token: ${{ github.token }}
 
       - name: Download result files PR
         if: ${{ github.run_id != inputs.workflow_id }}
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
             path: artifacts
             github-token: ${{ github.token }}
@@ -52,14 +52,14 @@ jobs:
           fi
 
       - id: app_token
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.0
         if: always()
         with:
           app-id: 2291458
           private-key: ${{ secrets.TEST_REPORTING_APP_TOKEN }}
 
       - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0
         if: |
           always()
           && contains(steps.listfiles.outcome, 'success')
diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
@@ -13,22 +13,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
       - name: Verify repolinter config file is present
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "repolint.json"
       - name: Run Repolinter with local repolint.json
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: todogroup/repolinter-action@v1
+        uses: todogroup/repolinter-action@4d478dcd860571382da7d512d6dc6dd5f554fbb2 # v1.7.3
         with:
           config_file: "repolint.json"
       - name: Run Repolinter with default ruleset
         if: steps.check_files.outputs.files_exists == 'false'
-        uses: todogroup/repolinter-action@v1
+        uses: todogroup/repolinter-action@4d478dcd860571382da7d512d6dc6dd5f554fbb2 # v1.7.3
         with:
           config_url: "https://raw.githubusercontent.com/quic/.github/main/repolint.json"
diff --git a/.github/workflows/stales.yml b/.github/workflows/stales.yml
@@ -11,7 +11,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v9
+    - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
       with:
         stale-issue-message: 'This issue has been marked as stale due to 30 days of inactivity. Please add a comment and close if it is resolved or if it is no longer relevant.'
         stale-pr-message: 'This pull request has been marked as stale due to 30 days of inactivity. To prevent automatic closure in 5 days, remove the stale label or add a comment. You can reopen a closed pull request at any time.'
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
@@ -30,13 +30,13 @@ jobs:
 
       - name: Download Result Summary
         id: download-result-summary
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           artifact-ids: ${{ needs.test.outputs.summary_id }}
           path: results_summary
 
       - name: Download event file
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
             run-id: ${{ github.event.workflow_run.id }}
             path: artifacts
@@ -58,7 +58,7 @@ jobs:
           echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
 
       - name: Comment on PR
-        uses: thollander/actions-comment-pull-request@v3
+        uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3
         with:
           file-path: pr-comment.txt
           pr-number: ${{ steps.pr_comment_prep.outputs.pr_number }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -40,7 +40,7 @@ jobs:
           - machine: qcom-armv7a
             kernel: _linux-qcom-6.18
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -61,7 +61,7 @@ jobs:
     outputs:
       jobmatrix: ${{ steps.listjobs.outputs.jobmatrix }}
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -83,14 +83,14 @@ jobs:
       matrix: ${{ fromJson(needs.prepare-boot-job-list.outputs.jobmatrix) }}
     steps:
       - name: 'Download job templates'
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: ${{ matrix.target.artifact }}
 
       - name: Submit ${{ matrix.target.name }}
         timeout-minutes: 20
         id: submit
-        uses: foundriesio/lava-action@v9
+        uses: foundriesio/lava-action@fe00b480d3b0f276cb4023052c7f6bc67e805953 # v9
         with:
           lava_token: ${{ secrets.LAVATOKEN }}
           lava_url: 'lava.infra.foundries.io'
@@ -101,7 +101,7 @@ jobs:
           save_result_as_artifact: true
           save_job_details: true
           result_file_name: "${{ matrix.target.result_file }}"
-      - uses: mwasilew/github-action-matrix-outputs-write@v2
+      - uses: mwasilew/github-action-matrix-outputs-write@f7202d2224ebed937f287a2e2813e47fddd12bc8 # v2
         if: always()
         id: out
         with:
@@ -118,7 +118,7 @@ jobs:
     outputs:
       boot_result: "${{ steps.print-boot-result.outputs.boot_result }}"
     steps:
-      - uses: cloudposse/github-action-matrix-outputs-read@v1
+      - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1
         id: read
         with:
           matrix-step-name: "submit-boot-job"
@@ -167,7 +167,7 @@ jobs:
         run: |
           echo "${RESULT}"
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -189,7 +189,7 @@ jobs:
     outputs:
       jobmatrix: ${{ steps.listjobs.outputs.jobmatrix }}
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -211,13 +211,13 @@ jobs:
       matrix: ${{ fromJson(needs.prepare-premerge-job-list.outputs.jobmatrix) }}
     steps:
       - name: 'Download job templates'
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           name: ${{ matrix.target.artifact}}
 
       - name: Submit ${{ matrix.target.name }}
         timeout-minutes: 20
-        uses: foundriesio/lava-action@v9
+        uses: foundriesio/lava-action@fe00b480d3b0f276cb4023052c7f6bc67e805953 # v9
         with:
           lava_token: ${{ secrets.LAVATOKEN }}
           lava_url: 'lava.infra.foundries.io'
@@ -244,7 +244,7 @@ jobs:
       summary_id: ${{ steps.generate-summary.outputs.artifact_id }}
 
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -258,7 +258,7 @@ jobs:
           summary_file_name: test_job_summary
 
       - name: Download Summary
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
         with:
           artifact-ids: ${{ steps.generate-summary.outputs.artifact_id }}
 
