Pin reusable workflow actions to immutable SHAs

HDauven · HDauven · commit ee14f976e7f5 · 2026-03-02T21:58:59.000+01:00
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -8,6 +8,7 @@ The reusable workflows are configured for least privilege:
 - They run with `permissions: contents: read`.
 - `actions/checkout` uses `persist-credentials: false`.
 - For `pull_request` events, fork PR jobs are blocked on `core` by default. Set `allow_fork_pr_on_core: true` only if you explicitly want to allow that.
+- Third-party actions are pinned to immutable commit SHAs.
 
 Example:
 ```yaml
diff --git a/.github/workflows/cargo-deny.yml b/.github/workflows/cargo-deny.yml
@@ -20,10 +20,10 @@ jobs:
     runs-on: core
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Install stable Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
 
       - name: Install cargo-deny
         run: cargo install --locked cargo-deny
diff --git a/.github/workflows/code-analysis.yml b/.github/workflows/code-analysis.yml
@@ -27,21 +27,21 @@ jobs:
     if: ${{ inputs.allow_fork_pr_on_core || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: core
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
-      - uses: dsherret/rust-toolchain-file@v1
+      - uses: dsherret/rust-toolchain-file@3551321aa44dd44a0393eb3b6bdfbc5d25ecf621 # v1
       - run: cargo fmt --all -- --check
 
   clippy:
     name: Clippy Check
     if: ${{ inputs.allow_fork_pr_on_core || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: core
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
-      - uses: dsherret/rust-toolchain-file@v1
+      - uses: dsherret/rust-toolchain-file@3551321aa44dd44a0393eb3b6bdfbc5d25ecf621 # v1
       - name: Run Clippy
         shell: bash
         env:
diff --git a/.github/workflows/dusk-analysis.yml b/.github/workflows/dusk-analysis.yml
@@ -22,10 +22,10 @@ jobs:
     if: ${{ inputs.allow_fork_pr_on_core || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: core
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
-      - uses: dsherret/rust-toolchain-file@v1
+      - uses: dsherret/rust-toolchain-file@3551321aa44dd44a0393eb3b6bdfbc5d25ecf621 # v1
 
       - name: Dusk checks
         working-directory: ${{ inputs.working-directory }}
diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -27,10 +27,10 @@ jobs:
     if: ${{ inputs.allow_fork_pr_on_core || github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
     runs-on: core
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
         with:
           persist-credentials: false
-      - uses: dsherret/rust-toolchain-file@v1
+      - uses: dsherret/rust-toolchain-file@3551321aa44dd44a0393eb3b6bdfbc5d25ecf621 # v1
       - name: Install Optional Rust Target
         if: ${{ inputs.rust_target }}
         shell: bash
