fix: pin actions to commit SHA

shaneutt · shaneutt · commit 514d06b852e7 · 2026-04-29T12:51:32.000-04:00
Signed-off-by: Shane Utt &lt;shaneutt@linux.com&gt;
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
@@ -20,14 +20,14 @@ jobs:
       issues: write # for rustsec/audit-check to create issues
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Generate Cargo.lock
         # https://github.com/rustsec/audit-check/issues/27
         run: cargo generate-lockfile --ignore-rust-version
 
       - name: Audit Check
         # https://github.com/rustsec/audit-check/issues/2
-        uses: rustsec/audit-check@master
+        uses: rustsec/audit-check@858dc40f52ca2b8570b7a997c1c4e35c6fc9a432 # master
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,7 +15,7 @@ jobs:
     if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           submodules: "recursive"
 
@@ -30,7 +30,7 @@ jobs:
           sudo apt install -y openresty --no-install-recommends
 
       - name: Install toolchain
-        uses: dtolnay/rust-toolchain@master
+        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
         with:
           toolchain: ${{ matrix.toolchain }}
           components: rustfmt, clippy
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           submodules: "recursive"
 
@@ -20,7 +20,7 @@ jobs:
           sudo apt install -y cmake libclang-dev
 
       - name: Install stable toolchain
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
       - name: Run cargo doc
         run: cargo doc --no-deps --all-features
diff --git a/.github/workflows/mark-stale.yaml b/.github/workflows/mark-stale.yaml
@@ -12,7 +12,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9
         with:
           stale-issue-message: 'This question has been stale for a week. It will be closed in an additional day if not updated.'
           close-issue-message: 'This issue has been closed because it has been stalled with no activity.'
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -16,11 +16,11 @@ jobs:
     name: semgrep-oss
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 1
       - id: cache-semgrep
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: ~/.local
           key: semgrep-1.160.0-${{ runner.os }}
