Remove low-use/value GitHub Action dependencies

ericcornelissen · ericcornelissen · commit ab111ce7683d · 2026-02-02T06:39:35.000+01:00
- `AppOmni-Labs/heisenberg-ssc-gha`: low quality reports that I mostly
  if not entirely ignore. Also doesn't pin its transitive dependencies.
- `chains-project/dirty-waters-action`: low value unpinnable action that
  sometimes starts acting up out of nowhere.
- `ericcornelissen/odgen-action`: low value static analysis, unpinnable.
diff --git a/.github/workflows/audit-dev.yml b/.github/workflows/audit-dev.yml
@@ -37,48 +37,6 @@ jobs:
         run: npm clean-install
       - name: Audit for deprecations
         run: npm run audit:deprecations
-  dirty-waters:
-    name: Dirty Waters
-    runs-on: ubuntu-24.04
-    permissions:
-      pull-requests: write # To comment on a Pull Request
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-        with:
-          persist-credentials: false
-      - name: Verify action checksums
-        uses: ./.github/actions/ghasum
-      - name: Run Dirty-waters analysis
-        uses: chains-project/dirty-waters-action@v1.11.52
-        with:
-          allow_pr_comment: true
-          comment_on_commit: false
-          config: ./config/dirty-waters.json
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          gradual_report: false
-          ignore_cache: false
-          package_manager: npm
-          specified_smells: --check-source-code --check-source-code-sha
-          x_to_fail: 0
-  heisenberg:
-    name: Heisenberg
-    runs-on: ubuntu-24.04
-    if: ${{ github.event_name == 'pull_request' }}
-    permissions:
-      pull-requests: write # To comment on a Pull Request
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-        with:
-          persist-credentials: false
-      - name: Verify action checksums
-        uses: ./.github/actions/ghasum
-      - name: Run Heisenberg analysis
-        uses: AppOmni-Labs/heisenberg-ssc-gha@v1.0.3
-        with:
-          add_security_label: false
-          package_file: package-lock.json
   vulnerabilities:
     name: Vulnerabilities
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -137,20 +137,6 @@ jobs:
         run: |
           URL="${GH_URL}/${REPO}/pull/${NUMBER}"
           gh pr comment "${URL}" --body "${COMMENT}"
-  odgen:
-    name: ODGen
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
-        with:
-          persist-credentials: false
-      - name: Verify action checksums
-        uses: ./.github/actions/ghasum
-      - name: Perform ODGen analysis
-        uses: ericcornelissen/odgen-action@v1.1.1
-        with:
-          vulnerability_type: os_command, code_exec, proto_pollution, ipt, xss, path_traversal
   reproducible:
     name: Reproducible build
     runs-on: ubuntu-24.04
diff --git a/.github/workflows/gha.sum b/.github/workflows/gha.sum
@@ -1,30 +1,21 @@
 version 1
 
-AppOmni-Labs/heisenberg-ssc-gha@v1.0.3 fAlZiG1lk7C4GW5zoFzG+9cCYqtF+x3Fw5IoCI8o4Vw=
-actions-ecosystem/action-add-labels@v1 TAe5KMeDutoqa65ydmV9YdFK+RtBnXZIp9SA3PQi/Pk=
-actions/cache@v4.2.3 A/Paejdu47oer1Zf9zbtOgbMTG3OmOiXsgB6oodFIOU=
 actions/cache@v5.0.3 9j/LRKexFfxHWzVbStH0MAw4ePL9cNrhLNSjmONs+Is=
 actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 lqcOZgWyTneOKF0riqdP6+vaHfT8MJqXvjKe4fdsTjs=
 actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd s/NQMxIFsmRFac7hJyF3QlZIJ3YbGpNiS5zPtPJgB1s=
 actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 e6ng7MJDyAPkTZ/6d/plZK2YhZRzJZvxhYAPUPpNAzc=
 actions/create-github-app-token@7e473efe3cb98aa54f8d4bac15400b15fad77d94 yeXVQWVRe7LlkqUY9Xco8LpJ+V2avq5OP33tZYbGnXk=
 actions/create-github-app-token@v2.2.0 yeXVQWVRe7LlkqUY9Xco8LpJ+V2avq5OP33tZYbGnXk=
-actions/github-script@v7 szdLNpz8Va2xlE22zZc+JipfRGfMZw13OOZGxLuaGqM=
 actions/labeler@v6.0.0 vIbx/9sZYOT56jy87glclJ87y9Vd1y4SPRfS862VkeA=
 actions/setup-node@v4.3.0 42jvLeHkfmB6GxoSth6I7EvbxtWh47IRGuqDDrNCYhM=
 actions/setup-node@v6.2.0 s1RfTSV8Ah9TAmSOTO+0UiR51/XGkC4lrr1YZi7yBKo=
-actions/setup-python@v5 MTHBGEHwb+MeIw3xRLiVuM/uyRfuK8hlVXL+Z/yEA8c=
-actions/setup-python@v5.6.0 MTHBGEHwb+MeIw3xRLiVuM/uyRfuK8hlVXL+Z/yEA8c=
 actions/upload-artifact@v6.0.0 pGNYwgnMwE8lQptaxeFNnwBLuWlkpSuQLb+kTVzspLg=
 asdf-vm/actions@b7bcd026f18772e44fe1026d729e1611cc435d47 NTSr2fG0/s/purlk1j8nFi/OZXSGAlRzB+GB0KKzhTk=
 asdf-vm/actions@v4.0.0 eGZn+tf2SoEwu2pptGEHoXu4mnO/zJHvqWldHAhWmtM=
-chains-project/dirty-waters-action@v1.11.52 JTXn8ep3K5YnkSpNVyVVe85RAxg2eQ2X+TKP5A6JgyA=
-ericcornelissen/odgen-action@v1.1.1 UZ+sIMi5lX7uHvMbJfQf/qlN2ZPmUbCCgZkQmy4RZvQ=
 ericcornelissen/tool-versions-update-action@v2.2.0 hEKQk7PtggFp4V/aUnbNy7/VbpQsYTUurzocvHKI3Qw=
 github/codeql-action@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 cKk/jC+AF7SIc9AV9Pk3XEbI+kND9NsY4T1AfQQkPzY=
 github/codeql-action@v4.32.0 cKk/jC+AF7SIc9AV9Pk3XEbI+kND9NsY4T1AfQQkPzY=
 ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b x49H6hPD8AWXRzcWpr1XIT5RoPcHJ/4QprD1vkG7ZnA=
-peter-evans/create-or-update-comment@v4 EFrtkHrqAoarXp0g95Hzycnm7OHxBYO7kYpazfHUhPQ=
 peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 OLxtm/mOdNIRqAWWLjgrnEjNt0OL1Lak9MN9hbOXQNc=
 peter-evans/create-pull-request@v8.0.0 Luap3+Di9HmjSpYTqM9ZzZHk1DBFrDgIwuguQ2Bty1k=
 stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 g4PCgPHeeaVpSPTRcoBKth4QnrZGGQXwBEoEAsAXivs=
