ci: pin actions by sha

python-poetry · Mar 26, 2024 · fe9f85b · fe9f85b · bswck · Mar 26, 2024
1 parent 3494cdb
commit fe9f85b
Show file tree

Hide file tree

Showing 8 changed files with 27 additions and 27 deletions.
diff --git a/.github/actions/bootstrap-poetry/action.yaml b/.github/actions/bootstrap-poetry/action.yaml
@@ -26,7 +26,7 @@ outputs:
 runs:
  using: composite
  steps:
- - uses: actions/setup-python@v5
+ - uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5
  id: setup-python
  if: inputs.python-version != 'default'
  with:

diff --git a/.github/actions/poetry-install/action.yaml b/.github/actions/poetry-install/action.yaml
@@ -26,7 +26,7 @@ runs:
  if: inputs.cache == 'true'
  shell: bash
 
- - uses: actions/cache@v4
+ - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
  id: cache
  if: inputs.cache == 'true'
  with:

diff --git a/.github/workflows/.tests-matrix.yaml b/.github/workflows/.tests-matrix.yaml
@@ -28,7 +28,7 @@ jobs:
  runs-on: ${{ inputs.runner }}
  if: inputs.run-mypy
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - uses: ./.github/actions/bootstrap-poetry
  id: bootstrap-poetry
@@ -37,7 +37,7 @@ jobs:
 
  - uses: ./.github/actions/poetry-install
 
- - uses: actions/cache@v4
+ - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4
  with:
  path: .mypy_cache
  key: mypy-${{ runner.os }}-py${{ steps.bootstrap-poetry.outputs.python-version }}-${{ hashFiles('pyproject.toml', 'poetry.lock') }}
@@ -52,7 +52,7 @@ jobs:
  runs-on: ${{ inputs.runner }}
  if: inputs.run-pytest
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - uses: ./.github/actions/bootstrap-poetry
  with:
@@ -74,7 +74,7 @@ jobs:
  runs-on: ${{ inputs.runner }}
  if: inputs.run-pytest-export
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - uses: ./.github/actions/bootstrap-poetry
  with:
@@ -87,7 +87,7 @@ jobs:
  - run: poetry run pip list --format json | jq -r '.[] | "\(.name)=\(.version)"' >> $GITHUB_OUTPUT
  id: package-versions
 
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
  with:
  path: poetry-plugin-export
  repository: python-poetry/poetry-plugin-export

diff --git a/.github/workflows/backport.yaml b/.github/workflows/backport.yaml
@@ -21,9 +21,9 @@ jobs:
  )
  )
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
  # This workflow requires a non-GHA token in order to trigger downstream CI, and to access the 'fork' repository.
- - uses: actions/create-github-app-token@v1
+ - uses: actions/create-github-app-token@78e5f2ddc08efcb88fbbee6cfa3fed770ba550c3 # v1
  id: app-token
  with:
  app-id: ${{ secrets.POETRY_TOKEN_APP_ID }}
@@ -37,4 +37,4 @@ jobs:
 
  ./.github/scripts/backport.sh --pr ${{ github.event.pull_request.number }} --comment --remote fork
  env:
-  GH_TOKEN: ${{ steps.app-token.outputs.token }}
+ GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/docs.yaml b/.github/workflows/docs.yaml
@@ -27,20 +27,20 @@ jobs:
  contents: read
  pull-requests: write
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
  with:
  repository: python-poetry/website
 
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
  with:
  path: poetry
  ref: ${{ github.event.pull_request.head.sha }}
 
- - uses: actions/setup-node@v4
+ - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
  with:
  node-version: "18"
 
- - uses: peaceiris/actions-hugo@v2
+ - uses: peaceiris/actions-hugo@16361eb4acea8698b220b76c0d4e84e1fd22c61d # v2
  with:
  hugo-version: '0.83.1'
 
@@ -59,7 +59,7 @@ jobs:
  # Build the static website.
  hugo -v --minify
 
- - uses: amondnet/vercel-action@v25
+ - uses: amondnet/vercel-action@16e87c0a08142b0d0d33b76aeaf20823c381b9b9 # v25
  with:
  vercel-token: ${{ secrets.VERCEL_TOKEN }}
  github-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/lock-threads.yaml b/.github/workflows/lock-threads.yaml
@@ -14,7 +14,7 @@ jobs:
  permissions:
  issues: write
  steps:
- - uses: dessant/lock-threads@v5
+ - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5
  with:
  process-only: issues
  issue-inactive-days: 30
@@ -29,7 +29,7 @@ jobs:
  issues: write
  pull-requests: write
  steps:
- - uses: dessant/lock-threads@v5
+ - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5
  with:
  process-only: prs
  pr-inactive-days: 30

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,11 +9,11 @@ jobs:
  name: Build
  runs-on: ubuntu-latest
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - run: pipx run build
 
- - uses: actions/upload-artifact@v4
+ - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
  with:
  name: distfiles
  path: dist/
@@ -26,7 +26,7 @@ jobs:
  contents: write
  needs: build
  steps:
- - uses: actions/download-artifact@v4
+ - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4
  with:
  name: distfiles
 
@@ -42,10 +42,10 @@ jobs:
  id-token: write
  needs: build
  steps:
- - uses: actions/download-artifact@v4
+ - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4
  with:
  name: distfiles
 
- - uses: pypa/gh-action-pypi-publish@release/v1
+ - uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # release/v1
  with:
  print-hash: true
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -23,9 +23,9 @@ jobs:
  src: ${{ steps.changes.outputs.src }}
  tests: ${{ steps.changes.outputs.tests }}
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
- - uses: dorny/paths-filter@v3
+ - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
  id: changes
  with:
  filters: |
@@ -54,7 +54,7 @@ jobs:
  if: needs.changes.outputs.project == 'true'
  needs: changes
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - uses: ./.github/actions/bootstrap-poetry
 
@@ -66,7 +66,7 @@ jobs:
  if: needs.changes.outputs.project == 'true'
  needs: lockfile
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - run: pipx run build
 
@@ -85,7 +85,7 @@ jobs:
  if: needs.changes.outputs.fixtures-pypi == 'true'
  needs: changes
  steps:
- - uses: actions/checkout@v4
+ - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
 
  - uses: ./.github/actions/bootstrap-poetry