chore: ci security

Author: liweijie0812

.github/workflows/ci.yml

@@ -7,11 +7,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2.0.2
 
-      - uses: pnpm/action-setup@v6
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0.4.0
         with:
           node-version-file: .node-version
           cache: pnpm
@@ -23,11 +23,11 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
-      - uses: pnpm/action-setup@v6
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version-file: .node-version
           cache: pnpm
@@ -41,11 +41,11 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
-      - uses: pnpm/action-setup@v6
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version-file: .node-version
           cache: pnpm

.github/workflows/reusable-pr-preview.yml

@@ -14,7 +14,7 @@ jobs:
       github.event.workflow_run.conclusion == 'success'
     steps:
       - name: download pr artifact
-        uses: dawidd6/action-download-artifact@v21
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # was: dawidd6/action-download-artifact@v21
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           run_id: ${{ github.event.workflow_run.id }}
@@ -23,7 +23,7 @@ jobs:
         id: pr
         run: echo "id=$(<pr-id.txt)" >> $GITHUB_OUTPUT
       - name: download _site artifact
-        uses: dawidd6/action-download-artifact@v21
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # was: dawidd6/action-download-artifact@v21
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           run_id: ${{ github.event.workflow_run.id }}
@@ -72,7 +72,7 @@ jobs:
       github.event.workflow_run.conclusion == 'failure'
     steps:
       - name: download pr artifact
-        uses: dawidd6/action-download-artifact@v21
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # was: dawidd6/action-download-artifact@v21
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           run_id: ${{ github.event.workflow_run.id }}

.github/workflows/reusable-publish-npm.yml

@@ -54,11 +54,11 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.ref_type == 'tag' && !inputs.publish-npm
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: ${{ inputs.node-version-file == '' && inputs.node-version || null }}
           node-version-file: ${{ inputs.node-version-file != '' && inputs.node-version-file || null }}
@@ -67,7 +67,7 @@ jobs:
 
       - run: ${{ inputs.package-manager }} run build
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: 24
 
@@ -79,7 +79,7 @@ jobs:
 
       - name: npm publish
         if: ${{ inputs.package-manager  == 'npm'}}
-        uses: JS-DevTools/npm-publish@v4
+        uses: JS-DevTools/npm-publish@0fd2f4369c5d6bcfcde6091a7c527d810b9b5c3f # was: JS-DevTools/npm-publish@v4
         with:
           tag: ${{ steps.tag.outputs.tag }}
 
@@ -91,14 +91,14 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.ref_type == 'tag' && !inputs.publish-tag-website
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: pnpm/action-setup@v6.0.8
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
         if: ${{ inputs.package-manager == 'pnpm' }}
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: ${{ inputs.node-version-file == '' && inputs.node-version || null }}
           node-version-file: ${{ inputs.node-version-file != '' && inputs.node-version-file || null }}
@@ -126,7 +126,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.ref_type == 'tag' && !inputs.publish-official-website
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           ref: main
           fetch-depth: 0

.github/workflows/reusable-spell-check.yml

@@ -12,9 +12,9 @@ jobs:
     name: Typos
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
       - name: Check spelling
-        uses: crate-ci/typos@v1.46.1
+        uses: crate-ci/typos@5374cbf686e897b15713110e233094e2874de7ef # was: crate-ci/typos@v1.46.1
         with:
           config: ${{ inputs.config }}

.github/workflows/reusable-unit-test.yml

@@ -28,14 +28,14 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: pnpm/action-setup@v6.0.8
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
         if: ${{ inputs.package-manager == 'pnpm' }}
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: ${{ inputs.node-version-file == '' && inputs.node-version || null }}
           node-version-file: ${{ inputs.node-version-file != '' && inputs.node-version-file || null }}
@@ -45,22 +45,22 @@ jobs:
       - run: ${{ inputs.package-manager }} run lint
       - run: ${{ inputs.package-manager }} run test
       # upload report to codecov
-      - uses: codecov/codecov-action@v6.0.0
+      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # was: codecov/codecov-action@v6.0.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
 
   site:
     if: ${{ !inputs.skip-site }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: pnpm/action-setup@v6.0.8
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
         if: ${{ inputs.package-manager == 'pnpm' }}
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: ${{ inputs.node-version-file == '' && inputs.node-version || null }}
           node-version-file: ${{ inputs.node-version-file != '' && inputs.node-version-file || null }}
@@ -74,7 +74,7 @@ jobs:
           zip -r _site.zip _site
 
       - name: upload _site artifact
-        uses: actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # was: actions/upload-artifact@v7.0.1
         with:
           name: _site
           path: _site.zip
@@ -86,22 +86,22 @@ jobs:
 
       - name: Upload PR number
         if: ${{ always() }}
-        uses: actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # was: actions/upload-artifact@v7.0.1
         with:
           name: pr
           path: ./pr-id.txt
 
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
         with:
           submodules: recursive
 
-      - uses: pnpm/action-setup@v6.0.8
+      - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # was: pnpm/action-setup@v6.0.8
         if: ${{ inputs.package-manager == 'pnpm' }}
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
         with:
           node-version: ${{ inputs.node-version-file == '' && inputs.node-version || null }}
           node-version-file: ${{ inputs.node-version-file != '' && inputs.node-version-file || null }}

.github/workflows/spell-check.yml

@@ -11,9 +11,9 @@ jobs:
     name: Typos
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
       - name: Check spelling
-        uses: crate-ci/typos@v1.46.1
+        uses: crate-ci/typos@5374cbf686e897b15713110e233094e2874de7ef # was: crate-ci/typos@v1.46.1
         with:
           config: ${{ inputs.config }}

.github/workflows/test-close-release-issue.yml

@@ -11,7 +11,7 @@ jobs:
     name: test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
       - name: test
         uses: ./actions/close-release-issue

.github/workflows/test-upgrade-deps.yml

@@ -11,9 +11,9 @@ jobs:
     name: tdesign-vue
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
 
       - name: test
         uses: ./actions/upgrade-deps
@@ -30,9 +30,9 @@ jobs:
     name: tdesign-vue-next
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
-      - uses: actions/setup-node@v6.4.0
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # was: actions/setup-node@v6.4.0
 
       - name: test
         uses: ./actions/upgrade-deps
@@ -51,7 +51,7 @@ jobs:
   #   name: tdesign-flutter
   #   runs-on: ubuntu-latest
   #   steps:
-  #     - uses: actions/checkout@v6.0.2
+  #     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # was: actions/checkout@v6.0.2
 
   #     - uses: actions/setup-node@v6.3.0
   #       with: