chore: use actions pinned to hashes for security (#131)

Author: ashishb

.github/workflows/check-goreleaser-config.yaml

@@ -39,7 +39,7 @@ jobs:
           cache: false  # Disable caching to avoid cache poisoning
 
       - name: Install Go Releaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552  # v6.3.0
         with:
           distribution: goreleaser
           version: latest

.github/workflows/lint-github-actions.yaml

@@ -43,7 +43,7 @@ jobs:
           sparse-checkout-cone-mode: false
 
       - name: Lint GitHub Actions
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281  # v1.65.2
 
       - name: Check GitHub Actions with 'actionlint'
         # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions

.github/workflows/lint-go.yaml

@@ -51,7 +51,7 @@ jobs:
             ${{ runner.os }}-go-
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8.0.0
         with:
           # We use cache provided by "actions/setup-go@v5"
           skip-cache: true

.github/workflows/lint-markdown.yaml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Set up Ruby
         # See https://github.com/ruby/setup-ruby#versioning
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@13e7a03dc3ac6c3798f4570bfead2aed4d96abfb  # v1.244.0
         with:
           ruby-version: 3.0
 

.github/workflows/lint-yaml.yaml

@@ -39,7 +39,7 @@ jobs:
           persist-credentials: false
 
       - name: Check YAML files with linter
-        uses: ibiqlik/action-yamllint@v3
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c  # v3.1.1
         with:
           # All files under base dir
           file_or_dir: "."

.github/workflows/release-binary.yaml

@@ -1,7 +1,7 @@
 ---
 name: Create release
 
-on:
+on:  # yamllint disable-line rule:truthy
   push:
     branches: ["main", "master"]
     # Release whenever this file changes
@@ -43,7 +43,7 @@ jobs:
 
       - name: Create new tag
         id: tag_version
-        uses: mathieudutour/github-tag-action@v6.2
+        uses: mathieudutour/github-tag-action@a22cf08638b34d5badda920f9daf6e72c477b07b  # v6.2
         with:
           custom_tag: ${{ steps.read-version.outputs.version }}
           tag_prefix: ""  # To prevent extra "v" in the prefix
@@ -76,7 +76,7 @@ jobs:
 
       # More assembly might be required: Docker logins, GPG, etc. It all depends
       # on your needs.
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552  # v6.3.0
         with:
           distribution: goreleaser
           version: latest

src/gabo/internal/generator/data/build-android-incomplete.yaml

@@ -46,7 +46,7 @@ jobs:
           persist-credentials: false
 
       - name: Validate Gradle Wrapper is a known binary
-        uses: gradle/actions/wrapper-validation@v3
+        uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326  # v4.4.0
 
       - name: Set up JDK
         uses: actions/setup-java@v4
@@ -55,7 +55,7 @@ jobs:
           distribution: "zulu"
 
       - name: Use Gradle Build cache
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326  # v4.4.0
         with:
           gradle-version: "current"
 

src/gabo/internal/generator/data/check-goreleaser-config.yaml

@@ -50,7 +50,7 @@ jobs:
           cache-dependency-path: src/gabo/go.sum
 
       - name: Install Go Releaser
-        uses: goreleaser/goreleaser-action@v6
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552  # v6.3.0
         with:
           distribution: goreleaser
           version: latest

src/gabo/internal/generator/data/compress-images.yaml

@@ -36,7 +36,7 @@ jobs:
 
       - name: Compress Images
         id: calibre
-        uses: calibreapp/image-actions@main
+        uses: calibreapp/image-actions@82caf2e46a1950e602c8440fde4730ec1da6fef4  # main
         with:
           # The `GITHUB_TOKEN` is automatically generated by GitHub and scoped only to the repository that is currently running the action. By default, the action can’t update Pull Requests initiated from forked repositories.
           # See https://docs.github.com/en/actions/reference/authentication-in-a-workflow and https://help.github.com/en/articles/virtual-environments-for-github-actions#token-permissions
@@ -45,7 +45,7 @@ jobs:
           # Add ignore paths via `ignorePaths` here
       - name: Create New Pull Request If Needed
         if: steps.calibre.outputs.markdown != ''
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e  # v7.0.8
         with:
           title: "Compressed Images via Calibre"
           branch-suffix: timestamp

src/gabo/internal/generator/data/lint-android.yaml

@@ -54,12 +54,12 @@ jobs:
           java-version: "17"
 
       - name: Use Gradle Build cache
-        uses: gradle/gradle-build-action@v2
+        uses: gradle/actions/setup-gradle@8379f6a1328ee0e06e2bb424dadb7b159856a326  # v4.4.0
         with:
           gradle-version: "current"
 
       - name: Validate Gradle Wrapper is a known binary
-        uses: gradle/actions/wrapper-validation@v3
+        uses: gradle/actions/wrapper-validation@8379f6a1328ee0e06e2bb424dadb7b159856a326  # v4.4.0
 
       #      # Required by apps that depend on Firebase
       #      - name: Add mock google-services.json
@@ -70,7 +70,7 @@ jobs:
       - name: Run Gradle Lint
         run: ./gradlew lint
 
-      - uses: yutailang0119/action-android-lint@v3
+      - uses: yutailang0119/action-android-lint@8345a8dece583030445b0b5f9611209431d601c4  # v5.0.0
         with:
           report-path: "**/build/reports/*.xml"  # Support glob patterns by https://www.npmjs.com/package/@actions/glob
         continue-on-error: false  # If annotations contain error of severity, action-android-lint exit 1.