Pin workflows to protect against sec attacks (#294)

EliSchleifer · cursoragent · web-flow · commit 04ba50e7658c · 2026-05-14T16:29:00.000-07:00
Pin workflows one more time to most recent.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/.github/workflows/annotate_pr.yaml b/.github/workflows/annotate_pr.yaml
@@ -19,8 +19,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # external users: trunk-io/trunk-action@v1
       - name: Trunk Check
-        # external users, use: trunk-io/trunk-action@v1
         uses: ./
         with:
           post-annotations: true
diff --git a/.github/workflows/cache_trunk.yaml b/.github/workflows/cache_trunk.yaml
@@ -18,8 +18,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # external users: trunk-io/trunk-action@v1
       - name: Trunk Check
-        # external users, use: trunk-io/trunk-action@v1
         uses: ./
         with:
           check-mode: populate_cache_only
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -38,15 +38,15 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         # Override language selection by uncommenting this and choosing your languages
         with:
           languages: javascript
 
       # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -60,4 +60,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
@@ -15,8 +15,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # external users: trunk-io/trunk-action@v1
       - name: Trunk Check
-        # external users, use: trunk-io/trunk-action@v1
         uses: ./
         with:
           check-mode: all
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -17,8 +17,8 @@ jobs:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
+      # external users: trunk-io/trunk-action@v1
       - name: Trunk Check
-        # external users, use: trunk-io/trunk-action@v1
         uses: ./
 
   action_tests:
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -65,6 +65,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/weekly.yaml b/.github/workflows/weekly.yaml
@@ -25,9 +25,9 @@ jobs:
           app_id: ${{ secrets.TRUNK_OPEN_PR_APP_ID }}
           private_key: ${{ secrets.TRUNK_OPEN_PR_APP_PRIVATE_KEY }}
 
+      # external users: trunk-io/trunk-action/upgrade@v1
       - name: Trunk Upgrade
         id: upgrade
-        # external users: use trunk-io/trunk-action/upgrade@v1
         uses: ./upgrade
         with:
           github-token: ${{ steps.generate-token.outputs.token }}
diff --git a/.pinact.yaml b/.pinact.yaml
@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/suzuki-shunsuke/pinact/refs/heads/main/json-schema/pinact.json
+# pinact: https://github.com/suzuki-shunsuke/pinact — pin actions to SHA + semver comment.
+# Authenticated GitHub API is recommended (e.g. GITHUB_TOKEN=$(gh auth token) pinact run).
+version: 3
diff --git a/setup-env/action.yaml b/setup-env/action.yaml
@@ -99,14 +99,14 @@ runs:
 
     - name: Install pnpm
       if: env.PACKAGE_MANAGER == 'pnpm'
-      uses: pnpm/action-setup@08c4be7e2e672a47d11bd04269e27e5f3e8529cb # v6.0.0
+      uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
       with:
         version: ${{ env.PNPM_VERSION }}
 
     - name: Install Node dependencies
       id: setup_node
       if: env.PACKAGE_MANAGER && env.NODE_VERSION_FILE
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version-file: ${{ env.NODE_VERSION_FILE }}
       continue-on-error: true
@@ -127,7 +127,7 @@ runs:
 
     - name: Install backup node version
       if: env.PACKAGE_MANAGER && env.NODE_VERSION_FILE && env.INSTALL_LATEST_NODE == 'true'
-      uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
       with:
         node-version: latest
 
