ci: pin all GitHub actions by hash

anujm1 · anujm1 · commit 82eebe6ba2f5 · 2026-03-07T03:37:24.000+05:30
GitHub [1] and zizmor [2] recommend that actions, especially third party actions, should be pinned by hash instead of tags since tags are mutable and can introduce vulnerabilities if a malicious actor gains access to the action repository [3]. Change all third party actions to use hash instead of tag. [1] https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions [2] https://docs.zizmor.sh/audits/#unpinned-uses [3] https://nvd.nist.gov/vuln/detail/cve-2025-30066 Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
diff --git a/.github/workflows/publish-results.yml b/.github/workflows/publish-results.yml
@@ -59,7 +59,7 @@ jobs:
           private-key: ${{ secrets.TEST_REPORTING_APP_TOKEN }}
 
       - name: Publish Test Results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040 # v2.23.0
         if: |
           always()
           && contains(steps.listfiles.outcome, 'success')
diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
@@ -19,16 +19,16 @@ jobs:
 
       - name: Verify repolinter config file is present
         id: check_files
-        uses: andstor/file-existence-action@v3
+        uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3
         with:
           files: "repolint.json"
       - name: Run Repolinter with local repolint.json
         if: steps.check_files.outputs.files_exists == 'true'
-        uses: todogroup/repolinter-action@v1
+        uses: todogroup/repolinter-action@4d478dcd860571382da7d512d6dc6dd5f554fbb2 # v1.7.3
         with:
           config_file: "repolint.json"
       - name: Run Repolinter with default ruleset
         if: steps.check_files.outputs.files_exists == 'false'
-        uses: todogroup/repolinter-action@v1
+        uses: todogroup/repolinter-action@4d478dcd860571382da7d512d6dc6dd5f554fbb2 # v1.7.3
         with:
           config_url: "https://raw.githubusercontent.com/quic/.github/main/repolint.json"
diff --git a/.github/workflows/test-pr.yml b/.github/workflows/test-pr.yml
@@ -58,7 +58,7 @@ jobs:
           echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
 
       - name: Comment on PR
-        uses: thollander/actions-comment-pull-request@v3
+        uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3
         with:
           file-path: pr-comment.txt
           pr-number: ${{ steps.pr_comment_prep.outputs.pr_number }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -101,7 +101,7 @@ jobs:
           save_result_as_artifact: true
           save_job_details: true
           result_file_name: "${{ matrix.target.result_file }}"
-      - uses: mwasilew/github-action-matrix-outputs-write@v2
+      - uses: mwasilew/github-action-matrix-outputs-write@f7202d2224ebed937f287a2e2813e47fddd12bc8 # v2
         if: always()
         id: out
         with:
@@ -118,7 +118,7 @@ jobs:
     outputs:
       boot_result: "${{ steps.print-boot-result.outputs.boot_result }}"
     steps:
-      - uses: cloudposse/github-action-matrix-outputs-read@v1
+      - uses: cloudposse/github-action-matrix-outputs-read@33cac12fa9282a7230a418d859b93fdbc4f27b5a # v1
         id: read
         with:
           matrix-step-name: "submit-boot-job"
