chore: pin actions to sha

staaldraad · staaldraad · commit 0a1ee45aa393 · 2026-03-27T12:34:48.000+01:00
diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml
@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build
         run: cargo build --release --verbose
         working-directory: ./cli
diff --git a/.github/workflows/pgTAP.yaml b/.github/workflows/pgTAP.yaml
@@ -10,8 +10,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
-      - uses: supabase/setup-cli@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0
         with:
           version: 2.75.0
       - name: Supabase Start
diff --git a/.github/workflows/pre-commit_hooks.yaml b/.github/workflows/pre-commit_hooks.yaml
@@ -11,10 +11,10 @@ jobs:
 
     steps:
     - name: checkout
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: set up python 3.10
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: "3.10"
 
diff --git a/.github/workflows/prettier.yaml b/.github/workflows/prettier.yaml
@@ -13,9 +13,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Run Prettier
-        uses: creyD/prettier_action@v4.6
+        uses: creyD/prettier_action@8c18391fdc98ed0d884c6345f03975edac71b8f0 # v4.6
         with:
           # Prettier CLI arguments
           prettier_options: '--config ./website/.prettierrc --ignore-path ./website/.prettierignore --check ./website'
diff --git a/.github/workflows/release-cli.yaml b/.github/workflows/release-cli.yaml
@@ -14,9 +14,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Read CLI version
-        uses: SebRollen/toml-action@v1.2.0
+        uses: SebRollen/toml-action@b1b3628f55fc3a28208d4203ada8b737e9687876 # v1.2.0
         id: read_cli_version
         with:
           file: './cli/Cargo.toml'
@@ -29,7 +29,7 @@ jobs:
           exit 1
       - name: Create Release
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -60,12 +60,12 @@ jobs:
           sudo apt-get install -y --no-install-recommends curl build-essential libssl-dev pkg-config
 
       - name: Install Rust Toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
           toolchain: stable
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build and Package
         run: |
           cd cli
@@ -97,7 +97,7 @@ jobs:
           sudo dpkg-deb --build "${package_dir}"
 
       - name: Upload gzip Package
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -108,7 +108,7 @@ jobs:
           asset_content_type: application/gzip
 
       - name: Upload Debian Package
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -126,20 +126,20 @@ jobs:
     timeout-minutes: 45
     steps:
       - name: Install Rust Toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
           toolchain: stable
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build and Package
         run: |
           cd cli
           cargo build --release
           cd ./target/release && tar -czvf dbdev.tar.gz ./dbdev
 
       - name: Upload Release Asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -157,20 +157,20 @@ jobs:
     timeout-minutes: 45
     steps:
       - name: Install Rust Toolchain
-        uses: actions-rs/toolchain@v1
+        uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7
         with:
           profile: minimal
           toolchain: stable
 
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Build and Package
         run: |
           cd cli
           cargo build --release
           cd ./target/release && Compress-Archive -Path ./dbdev.exe -Destination dbdev.zip
 
       - name: Upload Release Asset
-        uses: actions/upload-release-asset@v1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/release-homebrew-tap.yaml b/.github/workflows/release-homebrew-tap.yaml
@@ -17,7 +17,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: supabase/homebrew-tap
           ref: "main"
@@ -31,21 +31,21 @@ jobs:
           # strip the leading v (if present)
           echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
       - name: Download Linux AMD64 package
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1
         with:
           repository: "supabase/dbdev"
           tag: ${{ inputs.tag }}
           fileName: "dbdev-${{ inputs.tag }}-linux-amd64.tar.gz"
 
       - name: Download Linux ARM64 package
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1
         with:
           repository: "supabase/dbdev"
           tag: ${{ inputs.tag }}
           fileName: "dbdev-${{ inputs.tag }}-linux-arm64.tar.gz"
 
       - name: Download macOS ARM64 package
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1
         with:
           repository: "supabase/dbdev"
           tag: ${{ inputs.tag }}
@@ -113,7 +113,7 @@ jobs:
           echo "It was auto-generated by the dbdev release workflow." >> PR_BODY.md
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v8.1.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.homebrew_tap_rw }}
           commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}"
diff --git a/.github/workflows/release-scoop-bucket.yaml b/.github/workflows/release-scoop-bucket.yaml
@@ -17,7 +17,7 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: supabase/scoop-bucket
           ref: "main"
@@ -33,7 +33,7 @@ jobs:
           echo "version=${tag#v}" >> "$GITHUB_OUTPUT"
 
       - name: Download Windows AMD64 package
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1
         with:
           repository: "supabase/dbdev"
           tag: ${{ inputs.tag }}
@@ -69,7 +69,7 @@ jobs:
           echo "It was auto-generated by the dbdev release workflow." >> PR_BODY.md
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v8.1.0
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0
         with:
           token: ${{ secrets.scoop_bucket_rw }}
           commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}"
diff --git a/.github/workflows/website-tests.yaml b/.github/workflows/website-tests.yaml
@@ -22,15 +22,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
           version: latest
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24"
           cache: "pnpm"
@@ -43,7 +43,7 @@ jobs:
         run: pnpm run test:coverage
 
       - name: Upload coverage to Coveralls
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7
         with:
           file: website/coverage/lcov.info
           flag-name: frontend
