chore: Pin external actions using hashes (#2019)

Note: I used exactly the version which are already being used (didn't update anything). Updates will come when we merge https://github.com/XRPLF/clio/pull/2018
2025-11-04 20:05:51 +00:00 · 2025-04-23 17:35:40 +01:00
parent e01d7d12cf
commit 88d27a7265
7 changed files with 14 additions and 14 deletions
--- a/.github/actions/build_docker_image/action.yml
+++ b/.github/actions/build_docker_image/action.yml
@@ -24,30 +24,30 @@ runs:
  steps:
      - name: Login to DockerHub
        if: ${{ inputs.push_image == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_PW }}

      - name: Login to GitHub Container Registry
        if: ${{ inputs.push_image == 'true' }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ env.GITHUB_TOKEN }}

-      - uses: docker/setup-qemu-action@v3
-      - uses: docker/setup-buildx-action@v3
+      - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 #v3.6.0
+      - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 #v3.10.0

-      - uses: docker/metadata-action@v5
+      - uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
        id: meta
        with:
          images: ${{ inputs.image_name }}
          tags: ${{ inputs.tags }}

      - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 #v5.4.0
        with:
          context: ${{ inputs.directory }}
          platforms: ${{ inputs.platforms }}
@@ -56,7 +56,7 @@ runs:

      - name: Update DockerHub description
        if: ${{ inputs.push_image == 'true' }}
-        uses: peter-evans/dockerhub-description@v4
+        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 #v4.0.2
        with:
          username: ${{ env.DOCKERHUB_USER }}
          password: ${{ env.DOCKERHUB_PW }}
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -117,7 +117,7 @@ jobs:
    steps:
      - name: Clean workdir
        if: ${{ runner.os == 'macOS' }}
-        uses: kuznetsss/workspace-cleanup@1.0
+        uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0

      - uses: actions/download-artifact@v4
        with:
--- a/.github/workflows/build_impl.yml
+++ b/.github/workflows/build_impl.yml
@@ -81,7 +81,7 @@ jobs:
    steps:
      - name: Clean workdir
        if: ${{ runner.os == 'macOS' }}
-        uses: kuznetsss/workspace-cleanup@1.0
+        uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0

      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/check_pr_title.yml
+++ b/.github/workflows/check_pr_title.yml
@@ -10,7 +10,7 @@ jobs:
    # permissions:
    #   pull-requests: write
    steps:
-      - uses: ytanikin/PRConventionalCommits@1.3.0
+      - uses: ytanikin/PRConventionalCommits@b628c5a234cc32513014b7bfdd1e47b532124d98 #v1.3.0
        with:
          task_types: '["build","feat","fix","docs","test","ci","style","refactor","perf","chore"]'
          add_label: false
--- a/.github/workflows/clang-tidy.yml
+++ b/.github/workflows/clang-tidy.yml
@@ -89,7 +89,7 @@ jobs:

            List of the issues found: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}/

-      - uses: crazy-max/ghaction-import-gpg@v6
+      - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec #v6.3.0
        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
        with:
          gpg_private_key: ${{ secrets.ACTIONS_GPG_PRIVATE_KEY }}
@@ -99,7 +99,7 @@ jobs:

      - name: Create PR with fixes
        if: ${{ steps.run_clang_tidy.outcome != 'success' }}
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
        env:
          GH_REPO: ${{ github.repository }}
          GH_TOKEN: ${{ github.token }}
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -76,7 +76,7 @@ jobs:
    steps:
      - name: Clean workdir
        if: ${{ runner.os == 'macOS' }}
-        uses: kuznetsss/workspace-cleanup@1.0
+        uses: kuznetsss/workspace-cleanup@80b9863b45562c148927c3d53621ef354e5ae7ce #v1.0

      - uses: actions/download-artifact@v4
        with:
--- a/.github/workflows/upload_coverage_report.yml
+++ b/.github/workflows/upload_coverage_report.yml
@@ -23,7 +23,7 @@ jobs:

      - name: Upload coverage report
        if: ${{ hashFiles('build/coverage_report.xml') != '' }}
-        uses: wandalen/wretry.action@v3.7.3
+        uses: wandalen/wretry.action@ffdd254f4eaf1562b8a2c66aeaa37f1ff2231179 #v3.7.3
        with:
          action: codecov/codecov-action@v4
          with: |