also pin official github actions

2026-04-18 00:26:54 -04:00 · 2025-10-15 12:48:49 +02:00
parent 446caff901
commit 83d2c39080
17 changed files with 42 additions and 42 deletions
--- a/.github/workflows/appimage.yml
+++ b/.github/workflows/appimage.yml
@@ -44,9 +44,9 @@ jobs:
            openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip'
            openjfx-sha: '951c52481af0ec5885b06f1ebaa8a10da7e8ea23c5e1ef3e2f6f11fa1b3a7ce1'
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -175,7 +175,7 @@ jobs:
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: appimage-${{ matrix.appimage-suffix }}
          path: |
@@ -201,7 +201,7 @@ jobs:
    if: github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable'
    steps:
      - name: Download AppImages
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
        with:
          path: downloads/
          merge-multiple: true
@@ -212,7 +212,7 @@ jobs:
          echo "x64-sha256sum=${X64_SHA256}" >> "$GITHUB_OUTPUT"
          AARCH64_SHA256=$(sha256sum downloads/cryptomator-*-aarch64.AppImage | cut -d ' ' -f1)
          echo "aarch64-sha256sum=${AARCH64_SHA256}" >> "$GITHUB_OUTPUT"
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          repository: 'cryptomator/aur-bin'
          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
--- a/.github/workflows/aur.yml
+++ b/.github/workflows/aur.yml
@@ -48,7 +48,7 @@ jobs:
    env:
      AUR_PR_URL: tbd
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          repository: 'cryptomator/aur'
          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
--- a/.github/workflows/av-whitelist.yml
+++ b/.github/workflows/av-whitelist.yml
@@ -41,7 +41,7 @@ jobs:
      - name: Download file
        run: curl --remote-name ${INPUT_URL} -L -o ${{steps.extractName.outputs.fileName}}
      - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: ${{ steps.extractName.outputs.fileName }}
          path: ${{ steps.extractName.outputs.fileName }}
@@ -53,7 +53,7 @@ jobs:
    if: github.event_name == 'workflow_call' || inputs.kaspersky
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
@@ -73,7 +73,7 @@ jobs:
    if: github.event_name == 'workflow_call'  || inputs.avast
    steps:
      - name: Download artifact
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
        with:
          name: ${{ needs.download-file.outputs.fileName }}
          path: upload
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,14 +22,14 @@ jobs:
    name: Compile and Test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-java@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
          cache: 'maven'
      - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
        with:
          path: ~/.sonar/cache
          key: ${{ runner.os }}-sonar
--- a/.github/workflows/check-jdk-updates.yml
+++ b/.github/workflows/check-jdk-updates.yml
@@ -26,7 +26,7 @@ jobs:
        run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,20) >> "$env:GITHUB_ENV"
        shell: pwsh
      - name: Checkout latest JDK ${{ env.JDK_MAJOR_VERSION }}
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          java-version: ${{ env.JDK_MAJOR_VERSION}}
          distribution: ${{ env.JDK_VENDOR }}
--- a/.github/workflows/debian.yml
+++ b/.github/workflows/debian.yml
@@ -44,7 +44,7 @@ jobs:
    env:
      INPUT_PPAVER: ${{ inputs.ppaver }}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - id: deb-version
        name: Determine deb-version
        run: |
@@ -59,7 +59,7 @@ jobs:
          sudo apt-get update
          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK }}=${{ env.COFFEELIBS_JDK_VERSION }}
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -142,7 +142,7 @@ jobs:
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: linux-deb-package
          path: |
--- a/.github/workflows/dl-stats.yml
+++ b/.github/workflows/dl-stats.yml
@@ -10,7 +10,7 @@ jobs:
    steps:
      - name: Get download count of latest releases
        id: get-stats
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        with:
          script: |
            const query = `query($owner:String!, $name:String!) {
--- a/.github/workflows/error-db.yml
+++ b/.github/workflows/error-db.yml
@@ -14,7 +14,7 @@ jobs:
      - name: Query Discussion Data
        if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted'
        id: query-data
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd
        with:
          script: |
            const query = `query ($owner: String!, $name: String!, $discussionNumber: Int!) {
--- a/.github/workflows/flathub.yml
+++ b/.github/workflows/flathub.yml
@@ -43,7 +43,7 @@ jobs:
    env:
      FLATHUB_PR_URL: tbd
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          repository: 'flathub/org.cryptomator.Cryptomator'
          token: ${{ secrets.CRYPTOBOT_PR_TOKEN }}
--- a/.github/workflows/get-version.yml
+++ b/.github/workflows/get-version.yml
@@ -35,11 +35,11 @@ jobs:
      revNum: ${{ steps.versions.outputs.revNum }}
      type: ${{ steps.versions.outputs.type}}
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
        with:
          fetch-depth: 0
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
--- a/.github/workflows/mac-dmg-x64.yml
+++ b/.github/workflows/mac-dmg-x64.yml
@@ -47,9 +47,9 @@ jobs:
          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-x64_bin-jmods.zip'
          openjfx-sha: '0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52'
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -282,7 +282,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
--- a/.github/workflows/mac-dmg.yml
+++ b/.github/workflows/mac-dmg.yml
@@ -45,9 +45,9 @@ jobs:
          openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-aarch64_bin-jmods.zip'
          openjfx-sha: '13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba'
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -281,7 +281,7 @@ jobs:
        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
        continue-on-error: true
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: dmg-${{ matrix.output-suffix }}
          path: |
--- a/.github/workflows/no-response.yml
+++ b/.github/workflows/no-response.yml
@@ -12,7 +12,7 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008
        with:
          days-before-stale: 14
          days-before-close: 0
--- a/.github/workflows/pullrequest.yml
+++ b/.github/workflows/pullrequest.yml
@@ -16,8 +16,8 @@ jobs:
    name: Compile and Test
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-java@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+      - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
--- a/.github/workflows/release-check.yml
+++ b/.github/workflows/release-check.yml
@@ -19,9 +19,9 @@ jobs:
    name: Validate commits pushed to release/hotfix branch to fulfill release requirements
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
@@ -49,7 +49,7 @@ jobs:
            exit 1
          fi
      - name: Cache NVD DB
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830
        with:
          path: ~/.m2/repository/org/owasp/dependency-check-data/
          key: dependency-check-${{ github.run_id }}
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -12,7 +12,7 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v10
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008
        with:
          days-before-stale: 365
          days-before-close: 90
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -55,9 +55,9 @@ jobs:
            java-version: '24.0.1+9'
            java-package: 'jdk'
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ matrix.java-dist }}
          java-version: ${{ matrix.java-version }}
@@ -271,7 +271,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: msi-${{ matrix.arch }}
          path: |
@@ -293,21 +293,21 @@ jobs:
            java-version: '24.0.1+9'
            java-package: 'jdk'
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
      - name: Install wix and extensions
        run: |
          dotnet tool install --global wix --version 6.0.0
          wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global
          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
      - name: Download .msi
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
        with:
          name: msi-${{ matrix.arch }}
          path: dist/win/bundle/resources
      - name: Strip version info from msi file name
        run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
      - name: Setup Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
        with:
          distribution: ${{ matrix.java-dist }}
          java-version: ${{ matrix.java-version }}
@@ -390,7 +390,7 @@ jobs:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: exe-${{ matrix.executable-suffix }}
          path: |
@@ -408,7 +408,7 @@ jobs:
      download-url-exe-x64: ${{ fromJSON(steps.publish.outputs.assets)[2].browser_download_url }}
    steps:
      - name: Download installers
-        uses: actions/download-artifact@v5
+        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
        with:
          merge-multiple: true
      - name: Publish installers on GitHub Releases