Pinned GHA to commit SHA to avoid supply chain attack. (#49)

sonnykt · web-flow · commit 1164ab6c3abb · 2025-04-24T14:01:50.000+10:00
diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
diff --git a/.github/workflows/assign-author.yml b/.github/workflows/assign-author.yml
@@ -15,4 +15,5 @@ jobs:
 
     steps:
       - name: Assign author
-        uses: toshimaru/auto-author-assign@v2.1.1
+        # See https://github.com/toshimaru/auto-author-assign/releases
+        uses: toshimaru/auto-author-assign@16f0022cf3d7970c106d8d1105f75a1165edb516 # v2.1.1
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -24,7 +24,8 @@ jobs:
           fetch-depth: 0
 
       - name: Install SSH key
-        uses: shimataro/ssh-key-action@v2
+        # See https://github.com/shimataro/ssh-key-action/releases
+        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
         with:
           key: ${{ secrets.DEPLOY_SSH_KEY }}
           known_hosts: unnecessary
diff --git a/.github/workflows/draft-release-notes.yml b/.github/workflows/draft-release-notes.yml
@@ -20,6 +20,7 @@ jobs:
 
     steps:
       - name: Draft release notes
-        uses: release-drafter/release-drafter@v6
+        # See https://github.com/release-drafter/release-drafter/releases
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -73,10 +73,12 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        # See https://github.com/actions/checkout/releases
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Cache Composer dependencies
-        uses: actions/cache@v4
+        # See https://github.com/actions/cache/releases
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
         with:
           path: /tmp/composer-cache
           key: ${{ runner.os }}-${{ hashFiles('**/composer.lock') }}
@@ -91,7 +93,8 @@ jobs:
           sudo ldconfig
 
       - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        # See https://github.com/shivammathur/setup-php/releases
+        uses: shivammathur/setup-php@cf4cade2721270509d5b1c766ab3549210a39a2a # v2.33.0
         with:
           php-version: ${{ matrix.php-version }}
           extensions: gd, sqlite, pdo_sqlite
@@ -170,22 +173,24 @@ jobs:
           CI_CHECK_COVERAGE_IGNORE_FAILURE: ${{ vars.CI_CHECK_COVERAGE_IGNORE_FAILURE || 0 }}
 
       - name: Upload test results as an artifact
-        uses: actions/upload-artifact@v4
+        # See https://github.com/actions/upload-artifact/releases
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: always()
         with:
           name: Artifacts (${{ matrix.name }})
           path: build/web/sites/simpletest/browser_output
 
       - name: Upload coverage report as an artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: ${{github.job}}-code-coverage-report-${{ matrix.name }}
           path: ./.logs/coverage/phpunit/.coverage-html
           include-hidden-files: true
           if-no-files-found: error
 
       - name: Upload coverage report to Codecov
-        uses: codecov/codecov-action@v5
+        # See https://github.com/codecov/codecov-action/releases
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         if: ${{ env.CODECOV_TOKEN != '' }}
         with:
           files: ./.logs/coverage/phpunit/cobertura.xml
