chore(ci) pin 3rd-party actions to commit hashes

Water-Melon · web-flow · commit 0c9eeed05584 · 2025-01-16T10:51:23.000-08:00
diff --git a/.github/actions/setup-httpbin-server/action.yml b/.github/actions/setup-httpbin-server/action.yml
@@ -58,18 +58,18 @@ runs:
 
     - name: Login to GitHub Container Registry
       if: ${{ steps.setup.outputs.push == 'true' }}
-      uses: docker/login-action@v3
+      uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
       with:
         registry: ghcr.io
         username: ${{ inputs.ghcr_username }}
         password: ${{ inputs.ghcr_password }}
 
     - name: Setup Docker Buildx
       if: ${{ !env.ACT }}
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
 
     - name: Build httpbin-proxy image
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
       with:
         file: './assets/ci/Dockerfile.nginx'
         tags: ${{ steps.setup.outputs.tag }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -170,7 +170,7 @@ jobs:
     steps:
       - name: Coveralls Finished
         if: ${{ !env.ACT }}
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           parallel-finished: true
@@ -255,7 +255,7 @@ jobs:
             ~/.rustup/toolchains/*
             ~/.rustup/update-hashes/*
           key: rust-toolchain-${{ runner.os }}-${{ hashFiles('.github/**/*.yml', '.github/**/*.sh', 'rust-toolchain') }}
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@1ff72ee08e3cb84d84adba594e0a297990fc1ed3 # stable
         with:
           components: clippy
       - name: 'Setup cache - work/ dir'
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -70,7 +70,7 @@ jobs:
             echo "name=${{ matrix.language }}" >> $GITHUB_OUTPUT
           fi
       - name: Filter SARIF
-        uses: advanced-security/filter-sarif@v1
+        uses: advanced-security/filter-sarif@f3b8118a9349d88f7b1c0c488476411145b6270d # v1
         with:
           patterns: |
             -**/*      # exclusion: DENY ALL
diff --git a/.github/workflows/job-unit-tests.yml b/.github/workflows/job-unit-tests.yml
@@ -104,7 +104,7 @@ jobs:
           key: work-${{ inputs.os }}-${{ inputs.cc }}-${{ inputs.ngx }}-${{ inputs.openresty }}-${{ inputs.runtime }}-${{ hashFiles('util/**/*.sh', 'util/**/*.pl', 'util/**/*.awk', '.github/**/*.yml', '.github/**/*.sh', '.github/**/*.js', 'rust-toolchain', 'Makefile') }}
       - name: Setup Rust
         if: ${{ !env.ACT }}
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@1ff72ee08e3cb84d84adba594e0a297990fc1ed3 # stable
         with:
           target: wasm32-wasip1
       - name: Add wasm32-unknown-unknown target
@@ -118,7 +118,7 @@ jobs:
           go-version: 1.22.x
       - name: Setup TinyGo
         if: ${{ !env.ACT }}
-        uses: acifani/setup-tinygo@v2
+        uses: acifani/setup-tinygo@b2ba42b249c7d3efdfe94166ec0f48b3191404f7 # v2
         with:
           tinygo-version: 0.31.1
       - name: Setup Node.js
@@ -184,15 +184,15 @@ jobs:
           echo "name=$name" >> $GITHUB_OUTPUT
       - name: Coveralls Upload
         if: ${{ !env.ACT && inputs.coverage }}
-        uses: coverallsapp/github-action@v2
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           flag-name: ${{ steps.lcov.outputs.name }}
           path-to-lcov: './lcov.info'
           parallel: true
       - name: Codecov Upload
         if: ${{ !env.ACT && inputs.coverage }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: './lcov.info'
diff --git a/.github/workflows/job-valgrind-tests.yml b/.github/workflows/job-valgrind-tests.yml
@@ -93,7 +93,7 @@ jobs:
           key: work-${{ inputs.os }}-${{ inputs.cc }}-${{ inputs.ngx }}-${{ inputs.openresty }}-${{ inputs.runtime }}-${{ hashFiles('util/**/*.sh', 'util/**/*.pl', 'util/**/*.awk', '.github/**/*.yml', '.github/**/*.sh', '.github/**/*.js', 'rust-toolchain', 'Makefile') }}
       - name: Setup Rust
         if: ${{ !env.ACT }}
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@1ff72ee08e3cb84d84adba594e0a297990fc1ed3 # stable
         with:
           target: wasm32-wasip1
       - name: Setup Go
@@ -103,7 +103,7 @@ jobs:
           go-version: 1.22.x
       - name: Setup TinyGo
         if: ${{ !env.ACT }}
-        uses: acifani/setup-tinygo@v2
+        uses: acifani/setup-tinygo@b2ba42b249c7d3efdfe94166ec0f48b3191404f7 # v2
         with:
           tinygo-version: 0.31.1
       - name: Setup Node.js
@@ -139,7 +139,7 @@ jobs:
           lcov --gcov-tool gcov-${CC#*-} --extract lcov.info "*/ngx_wasm_module/src/*" --output-file lcov.info
       - name: Codecov Upload
         if: ${{ !env.ACT && inputs.coverage }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: './lcov.info'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -144,17 +144,17 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.TOKEN_GITHUB }}
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3
       - name: ${{ matrix.name }}
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           file: ${{ matrix.file }}
           tags: ${{ matrix.tags }}
@@ -267,9 +267,9 @@ jobs:
     steps:
       - uses: actions/checkout@v3
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -448,7 +448,7 @@ jobs:
         run: find . -name '*.tar.gz'
         # Channel: nightly
       - name: Nightly release
-        uses: marvinpinto/action-automatic-releases@latest
+        uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1
         if: ${{ needs.setup.outputs.create_release == 'true' && needs.setup.outputs.release_channel == 'nightly' }}
         with:
           prerelease: true
