From a9c4525c77ac06f891e0b01fe62d2c4365323d49 Mon Sep 17 00:00:00 2001 From: Maja Massarini Date: Thu, 21 May 2026 09:07:04 +0200 Subject: [PATCH] Pin GitHub Actions to commit hashes for security Pin all actions to specific commit SHAs to prevent supply chain attacks and ensure reproducible builds. Assisted-By: Claude Sonnet 4.5 --- .github/workflows/deploy.yml | 6 +++--- .github/workflows/opened-prs-to-the-board.yml | 2 +- .github/workflows/regenerate-cli-help-messages.yml | 6 +++--- .github/workflows/test-deploy.yml | 4 ++-- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index fc2df280f0..b03d29c82f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -18,8 +18,8 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 18 cache: yarn @@ -41,7 +41,7 @@ jobs: # Popular action to deploy to GitHub Pages: # Docs: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus - name: Deploy to GitHub Pages - uses: peaceiris/actions-gh-pages@v3 + uses: peaceiris/actions-gh-pages@4a2e02b36f31d8974a0d09d3bb9f3172aa2d0d0d # v3 with: github_token: ${{ secrets.GITHUB_TOKEN }} # Build output to publish to the `gh-pages` branch: diff --git a/.github/workflows/opened-prs-to-the-board.yml b/.github/workflows/opened-prs-to-the-board.yml index 5301d63e6a..a2252b6848 100644 --- a/.github/workflows/opened-prs-to-the-board.yml +++ b/.github/workflows/opened-prs-to-the-board.yml @@ -8,7 +8,7 @@ jobs: if: github.event.pull_request.draft == false runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/packit/projects/14 github-token: ${{ secrets.RELEASEBOT_GITHUB_TOKEN }} diff --git a/.github/workflows/regenerate-cli-help-messages.yml b/.github/workflows/regenerate-cli-help-messages.yml index 1f1bf3bb51..66378bcc34 100644 --- a/.github/workflows/regenerate-cli-help-messages.yml +++ b/.github/workflows/regenerate-cli-help-messages.yml @@ -15,13 +15,13 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Install missing distro dependencies run: sudo apt update && sudo apt-get install libkrb5-dev python3-rpm - name: Setup Python - uses: actions/setup-python@v4 + uses: actions/setup-python@7f4fc3e22c37d6ff65e88745f38bd3157c663f7c # v4 - name: Install dependencies run: pip3 install packitos @@ -30,7 +30,7 @@ jobs: run: python3 files/generate_cli_help_messages.py - name: Create pull request if there are changes - uses: peter-evans/create-pull-request@v4 + uses: peter-evans/create-pull-request@38e0b6e68b4c852a5500a94740f0e535e0d7ba54 # v4 with: commit-message: "Update help messages of CLI commands" title: "Update help messages of CLI commands" diff --git a/.github/workflows/test-deploy.yml b/.github/workflows/test-deploy.yml index aa06ea7849..88496ccf52 100644 --- a/.github/workflows/test-deploy.yml +++ b/.github/workflows/test-deploy.yml @@ -10,8 +10,8 @@ jobs: name: Test deployment runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 - - uses: actions/setup-node@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 18 cache: yarn