Lock included GitHub actions to a specific hash for security

JamyGolden · JamyGolden · commit 0b503d6bb949 · 2024-12-09T22:49:12.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,7 +12,7 @@ jobs:
     outputs:
       cargo_cache_key: ${{ steps.cargo_cache_key.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
       - name: Set cargo cache key
         id: cargo_cache_key
         run: |
diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
@@ -43,10 +43,10 @@ jobs:
       - tag-release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
-      - uses: taiki-e/create-gh-release-action@v1
+      - uses: taiki-e/create-gh-release-action@9cde2a76da067fc609a70deac6d209b88407861f # v1.8.2
         with:
           ref: 'refs/tags/${{ needs.setup.outputs.git_tag_name }}'
           changelog: ribboncurls-cli/CHANGELOG.md
@@ -78,10 +78,10 @@ jobs:
           - target: universal-apple-darwin
             os: macos-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
-      - uses: taiki-e/upload-rust-binary-action@v1
+      - uses: taiki-e/upload-rust-binary-action@3c3ad991ff197cfb223257a5d085a58deaaab4b5 # v1.22.0
         with:
           ref: refs/tags/${{ needs.setup.outputs.git_tag_name }}
           bin: ribboncurls
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -14,8 +14,9 @@ jobs:
   fmt:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
+
+      - uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d # v4.0.2
         with:
           path: |
             ~/.cargo/registry
@@ -24,7 +25,8 @@ jobs:
             ~/.cargo/bin
           key: ${{ env.CARGO_CACHE_KEY }}
         id: cache-cargo-fmt
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
         with:
           components: rustfmt
 
@@ -34,8 +36,9 @@ jobs:
   deny:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
+
+      - uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d # v4.0.2
         with:
           path: |
             ~/.cargo/registry
@@ -44,15 +47,17 @@ jobs:
             ~/.cargo/bin
           key: ${{ env.CARGO_CACHE_KEY }}
         id: cache-cargo-deny
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
 
       - uses: EmbarkStudios/cargo-deny-action@v1
 
   audit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/cache@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
+
+      - uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d # v4.0.2
         with:
           path: |
             ~/.cargo/registry
@@ -61,7 +66,8 @@ jobs:
             ~/.cargo/bin
           key: ${{ env.CARGO_CACHE_KEY }}
         id: cache-cargo-fmt
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
 
       - uses: taiki-e/install-action@v2
         with:
diff --git a/.github/workflows/msrv.yml b/.github/workflows/msrv.yml
@@ -16,14 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Fetch Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
 
       - name: Install stable toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
 
-      - uses: cargo-bins/cargo-binstall@main
+      - uses: cargo-bins/cargo-binstall@9330730a2ae0fec8c2d7e1653888fe7701dd409a #v1.10.3
 
       - name: Install cargo-msrv
         # waiting for the stable release
@@ -44,16 +44,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Fetch Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
 
       - run: git pull
 
       - name: Install stable toolchain
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
 
-      - uses: cargo-bins/cargo-binstall@main
+      - uses: cargo-bins/cargo-binstall@9330730a2ae0fec8c2d7e1653888fe7701dd409a #v1.10.3
 
       - name: Install cargo-msrv
         # waiting for the stable release
@@ -73,7 +73,7 @@ jobs:
         run: cargo msrv --path ./ribboncurls set ${{ steps.data-msrv.outputs.new }}
 
       - name: Update readme msrv
-        uses: jacobtomlinson/gha-find-replace@v3
+        uses: jacobtomlinson/gha-find-replace@099c88fbf2a7da26b083521a8bfa13e4f0886b97 # v3.0.3
         with:
           find: ${{ steps.data-msrv.outputs.current }}
           replace: ${{ steps.data-msrv.outputs.new }}
@@ -83,7 +83,7 @@ jobs:
       - run: git pull
 
       - name: Commit and Push
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@ac8823709a85c7ce090849ac3e5fe24d006f6e18 # v5.0.1
         with:
           commit_message: "Update MSRV from [${{steps.data-msrv.outputs.current}}] to [${{steps.data-msrv.outputs.new}}]"
           branch: ${{ github.head_ref }}
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -10,7 +10,7 @@ jobs:
     outputs:
       cargo_cache_key: ${{ steps.cargo_cache_key.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
       - name: Set cargo cache key
         id: cargo_cache_key
         run: |
diff --git a/.github/workflows/publish-crate.yml b/.github/workflows/publish-crate.yml
@@ -11,10 +11,12 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
 
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
+
       - name: Publish lib to crates.io if it is not published
         env:
           CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
diff --git a/.github/workflows/setup.yml b/.github/workflows/setup.yml
@@ -16,19 +16,19 @@ jobs:
       git_tag_name: ${{ steps.git_tag_name.outputs.value }}
       cargo_cache_key: ${{ steps.cargo_cache_key.outputs.value }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           fetch-depth: 1
           ref: ${{ github.ref }}
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
 
       - name: Set cargo cache key
         id: cargo_cache_key
         run: |
           CARGO_CACHE_KEY="${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}"
           echo "value=$CARGO_CACHE_KEY" >> $GITHUB_OUTPUT
 
-      - uses: actions/cache@v4
+      - uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d # v4.0.2
         with:
           path: |
             ~/.cargo/registry
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           token: ${{ secrets.RELEASE }}
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo and submodules
-        uses: actions/checkout@v4
+        uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc # v4.1.7
         with:
           submodules: true
-      - uses: actions-rust-lang/setup-rust-toolchain@v1
-      - uses: actions/cache@v4
+      - uses: actions-rust-lang/setup-rust-toolchain@1fbea72663f6d4c03efaab13560c8a24cfd2a7cc # v1.9.0
+      - uses: actions/cache@81382a721fc89d96eca335d0c3ba33144b2baa9d # v4.0.2
         with:
           path: |
             ~/.cargo/registry
