Pin GitHub Actions to SHA hashes

- autopublish.yml: actions/create-github-app-token@v2 -> fee1f7d63c2ff003460e3d139729b119787bc349
- autopublish.yml: actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd
- autopublish.yml: phips28/gh-action-bump-version@master -> 215e27a882516826c59df7f09da8c67d5f375cbd
- autopublish.yml: actions/setup-node@v6 -> 53b83947a5a98c8d113130e565377fae1a50d02f
- ci.yml: actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd
- ci.yml: actions/setup-node@v6 -> 53b83947a5a98c8d113130e565377fae1a50d02f
- ci.yml: actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd
- ci.yml: actions/setup-node@v6 -> 53b83947a5a98c8d113130e565377fae1a50d02f
- ci.yml: actions/github-script@v7 -> f28e40c7f34bde8b3046d885e986cb6290c5673b
- ci.yml: codecov/codecov-action@v4 -> b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
- ci.yml: actions/upload-artifact@v5 -> 330a01c490aca151604b8cf639adc76d48f6c5d4
- ci.yml: actions/checkout@v5 -> 93cb6efe18208431cddfb8368fd83d5badbf9bfd
- ci.yml: actions/setup-node@v6 -> 53b83947a5a98c8d113130e565377fae1a50d02f

Author: bgrozev

.github/workflows/autopublish.yml

@@ -14,21 +14,21 @@ jobs:
     steps:
       - name: "Generate GitHub App token"
         id: app-token
-        uses: "actions/create-github-app-token@v2"
+        uses: "actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349"  # v2
         with:
           app-id: ${{ secrets.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
       - name: "Checkout source code"
-        uses: "actions/checkout@v5"
+        uses: "actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd"  # v5
         with:
           token: ${{ steps.app-token.outputs.token }}
       - name: "Automated Release"
-        uses: "phips28/gh-action-bump-version@master"
+        uses: "phips28/gh-action-bump-version@215e27a882516826c59df7f09da8c67d5f375cbd"  # master
         with:
           commit-message: 'chore: bump version to {{version}}'
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6
         with:
           node-version: '18'
           registry-url: 'https://registry.npmjs.org'

.github/workflows/ci.yml

@@ -10,9 +10,9 @@ jobs:
     name: Lint
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
-    - uses: actions/setup-node@v6
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6
       with:
         node-version: 24
         cache: 'npm'
@@ -27,9 +27,9 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
-    - uses: actions/setup-node@v6
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6
       with:
         node-version: 24
         cache: 'npm'
@@ -58,7 +58,7 @@ jobs:
 
     - name: Create test results check
       if: always() && github.event_name == 'pull_request'
-      uses: actions/github-script@v7
+      uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b  # v7
       with:
         script: |
           const createTestCheck = require('./.github/workflows/scripts/create-test-check.js');
@@ -71,7 +71,7 @@ jobs:
           });
 
     - name: Upload coverage to Codecov
-      uses: codecov/codecov-action@v4
+      uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238  # v4
       with:
         token: ${{ secrets.CODECOV_TOKEN }}
         directory: ./coverage
@@ -80,7 +80,7 @@ jobs:
 
     - name: Upload coverage report as artifact
       if: always()
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4  # v5
       with:
         name: coverage-report
         path: coverage/
@@ -90,9 +90,9 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd  # v5
 
-    - uses: actions/setup-node@v6
+    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f  # v6
       with:
         node-version: 24
         cache: 'npm'