From 75d094cf145adb5817ed0e05f1fc04d03b03e8de Mon Sep 17 00:00:00 2001 From: Joshua Li Date: Mon, 23 Mar 2026 23:41:11 -0700 Subject: [PATCH] chore: pin GitHub Actions to full-length commit SHAs --- .github/workflows/build.yml | 26 ++++++++++++------------- .github/workflows/changelog-preview.yml | 2 +- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/release.yml | 2 +- 4 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b4ed6e218..576eba8f8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -20,9 +20,9 @@ jobs: APPLE_CERT_PATH: /tmp/certs.p12 APPLE_API_KEY_PATH: /tmp/apple_key.json steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: 'package.json' cache: 'yarn' @@ -42,7 +42,7 @@ jobs: echo "$APPLE_CERT_DATA" | base64 --decode > ${{ env.APPLE_CERT_PATH }} echo "$APPLE_API_KEY" | base64 --decode > ${{ env.APPLE_API_KEY_PATH }} - name: Fossilize Cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: key: yarn-${{ hashFiles('yarn.lock') }} restore-keys: yarn- @@ -60,7 +60,7 @@ jobs: - name: Pack run: yarn pack - name: Archive Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ github.sha }} if-no-files-found: error @@ -74,9 +74,9 @@ jobs: needs: job_build runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: 'package.json' cache: 'yarn' @@ -96,9 +96,9 @@ jobs: - ubuntu-latest - macos-15 # We need to use macos-15 to test with Xcode 16 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: 'package.json' node-version: ${{ matrix.node }} @@ -146,9 +146,9 @@ jobs: outputs: wizards: ${{ steps.generate-matrix.outputs.wizards }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: 'yarn' @@ -176,13 +176,13 @@ jobs: SENTRY_TEST_ORG: 'sentry-javascript-sdks' SENTRY_TEST_PROJECT: 'sentry-wizard-e2e-tests' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Setup pnpm uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # pin@v4.2.0 with: version: 10 - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 22 cache: 'yarn' @@ -200,7 +200,7 @@ jobs: - name: Install dependencies with yarn run: yarn install --frozen-lockfile - name: Download built binaries from build job - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ github.sha }} - # This debug step is left-in on purpose, as it helps debug test failures of diff --git a/.github/workflows/changelog-preview.yml b/.github/workflows/changelog-preview.yml index 3554256a6..9f1299956 100644 --- a/.github/workflows/changelog-preview.yml +++ b/.github/workflows/changelog-preview.yml @@ -11,5 +11,5 @@ permissions: jobs: changelog-preview: - uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2 + uses: getsentry/craft/.github/workflows/changelog-preview.yml@f4889d04564e47311038ecb6b910fef6b6cf1363 # v2 secrets: inherit diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 35c9d59ea..60eb05d93 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -41,11 +41,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@2adeade71c5a811210de40b090a358ed9581536c # v1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -56,7 +56,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@2adeade71c5a811210de40b090a358ed9581536c # v1 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions @@ -70,4 +70,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@2adeade71c5a811210de40b090a358ed9581536c # v1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a239f66c..d76616a26 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,7 +30,7 @@ jobs: with: app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }} private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }} - - uses: actions/checkout@v2 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2 with: token: ${{ steps.token.outputs.token }} fetch-depth: 0