From 83d2c390802fb5afaef906dcaab0c61940be46cd Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 15 Oct 2025 12:48:49 +0200 Subject: [PATCH] also pin official github actions --- .github/workflows/appimage.yml | 10 +++++----- .github/workflows/aur.yml | 2 +- .github/workflows/av-whitelist.yml | 6 +++--- .github/workflows/build.yml | 6 +++--- .github/workflows/check-jdk-updates.yml | 2 +- .github/workflows/debian.yml | 6 +++--- .github/workflows/dl-stats.yml | 2 +- .github/workflows/error-db.yml | 2 +- .github/workflows/flathub.yml | 2 +- .github/workflows/get-version.yml | 4 ++-- .github/workflows/mac-dmg-x64.yml | 6 +++--- .github/workflows/mac-dmg.yml | 6 +++--- .github/workflows/no-response.yml | 2 +- .github/workflows/pullrequest.yml | 4 ++-- .github/workflows/release-check.yml | 6 +++--- .github/workflows/stale.yml | 2 +- .github/workflows/win-exe.yml | 16 ++++++++-------- 17 files changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml index afaf96459..6bcb09ba2 100644 --- a/.github/workflows/appimage.yml +++ b/.github/workflows/appimage.yml @@ -44,9 +44,9 @@ jobs: openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_linux-aarch64_bin-jmods.zip' openjfx-sha: '951c52481af0ec5885b06f1ebaa8a10da7e8ea23c5e1ef3e2f6f11fa1b3a7ce1' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} @@ -175,7 +175,7 @@ jobs: gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: appimage-${{ matrix.appimage-suffix }} path: | @@ -201,7 +201,7 @@ jobs: if: github.event_name == 'release' && needs.get-version.outputs.versionType == 'stable' steps: - name: Download AppImages - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: path: downloads/ merge-multiple: true @@ -212,7 +212,7 @@ jobs: echo "x64-sha256sum=${X64_SHA256}" >> "$GITHUB_OUTPUT" AARCH64_SHA256=$(sha256sum downloads/cryptomator-*-aarch64.AppImage | cut -d ' ' -f1) echo "aarch64-sha256sum=${AARCH64_SHA256}" >> "$GITHUB_OUTPUT" - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: repository: 'cryptomator/aur-bin' token: ${{ secrets.CRYPTOBOT_PR_TOKEN }} diff --git a/.github/workflows/aur.yml b/.github/workflows/aur.yml index e1f5a45f0..4ed17afd5 100644 --- a/.github/workflows/aur.yml +++ b/.github/workflows/aur.yml @@ -48,7 +48,7 @@ jobs: env: AUR_PR_URL: tbd steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: repository: 'cryptomator/aur' token: ${{ secrets.CRYPTOBOT_PR_TOKEN }} diff --git a/.github/workflows/av-whitelist.yml b/.github/workflows/av-whitelist.yml index 2803a7eb8..9fac8729d 100644 --- a/.github/workflows/av-whitelist.yml +++ b/.github/workflows/av-whitelist.yml @@ -41,7 +41,7 @@ jobs: - name: Download file run: curl --remote-name ${INPUT_URL} -L -o ${{steps.extractName.outputs.fileName}} - name: Upload artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: ${{ steps.extractName.outputs.fileName }} path: ${{ steps.extractName.outputs.fileName }} @@ -53,7 +53,7 @@ jobs: if: github.event_name == 'workflow_call' || inputs.kaspersky steps: - name: Download artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: ${{ needs.download-file.outputs.fileName }} path: upload @@ -73,7 +73,7 @@ jobs: if: github.event_name == 'workflow_call' || inputs.avast steps: - name: Download artifact - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: ${{ needs.download-file.outputs.fileName }} path: upload diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e794f594c..30336d8fa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,14 +22,14 @@ jobs: name: Compile and Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-java@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} cache: 'maven' - name: Cache SonarCloud packages - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: ~/.sonar/cache key: ${{ runner.os }}-sonar diff --git a/.github/workflows/check-jdk-updates.yml b/.github/workflows/check-jdk-updates.yml index c6eacb20c..0ada84896 100644 --- a/.github/workflows/check-jdk-updates.yml +++ b/.github/workflows/check-jdk-updates.yml @@ -26,7 +26,7 @@ jobs: run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,20) >> "$env:GITHUB_ENV" shell: pwsh - name: Checkout latest JDK ${{ env.JDK_MAJOR_VERSION }} - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: java-version: ${{ env.JDK_MAJOR_VERSION}} distribution: ${{ env.JDK_VENDOR }} diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml index 94d995c49..8ec0d8561 100644 --- a/.github/workflows/debian.yml +++ b/.github/workflows/debian.yml @@ -44,7 +44,7 @@ jobs: env: INPUT_PPAVER: ${{ inputs.ppaver }} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - id: deb-version name: Determine deb-version run: | @@ -59,7 +59,7 @@ jobs: sudo apt-get update sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK }}=${{ env.COFFEELIBS_JDK_VERSION }} - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} @@ -142,7 +142,7 @@ jobs: run: | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: linux-deb-package path: | diff --git a/.github/workflows/dl-stats.yml b/.github/workflows/dl-stats.yml index 92b18ba81..258a02da5 100644 --- a/.github/workflows/dl-stats.yml +++ b/.github/workflows/dl-stats.yml @@ -10,7 +10,7 @@ jobs: steps: - name: Get download count of latest releases id: get-stats - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const query = `query($owner:String!, $name:String!) { diff --git a/.github/workflows/error-db.yml b/.github/workflows/error-db.yml index 6df929b3e..d42242f0b 100644 --- a/.github/workflows/error-db.yml +++ b/.github/workflows/error-db.yml @@ -14,7 +14,7 @@ jobs: - name: Query Discussion Data if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted' id: query-data - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd with: script: | const query = `query ($owner: String!, $name: String!, $discussionNumber: Int!) { diff --git a/.github/workflows/flathub.yml b/.github/workflows/flathub.yml index e4977954a..d409f72c3 100644 --- a/.github/workflows/flathub.yml +++ b/.github/workflows/flathub.yml @@ -43,7 +43,7 @@ jobs: env: FLATHUB_PR_URL: tbd steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: repository: 'flathub/org.cryptomator.Cryptomator' token: ${{ secrets.CRYPTOBOT_PR_TOKEN }} diff --git a/.github/workflows/get-version.yml b/.github/workflows/get-version.yml index 163132eac..0b0582d63 100644 --- a/.github/workflows/get-version.yml +++ b/.github/workflows/get-version.yml @@ -35,11 +35,11 @@ jobs: revNum: ${{ steps.versions.outputs.revNum }} type: ${{ steps.versions.outputs.type}} steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 with: fetch-depth: 0 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} diff --git a/.github/workflows/mac-dmg-x64.yml b/.github/workflows/mac-dmg-x64.yml index f71ad57a6..2d3a6a7d4 100644 --- a/.github/workflows/mac-dmg-x64.yml +++ b/.github/workflows/mac-dmg-x64.yml @@ -47,9 +47,9 @@ jobs: openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-x64_bin-jmods.zip' openjfx-sha: '0eba73fb28a24c845175d16fa2f8c081c936ce6de1be9b79eb6119fa32e53d52' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} @@ -282,7 +282,7 @@ jobs: run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db continue-on-error: true - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: dmg-${{ matrix.output-suffix }} path: | diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml index f56e5a308..d7455c7f8 100644 --- a/.github/workflows/mac-dmg.yml +++ b/.github/workflows/mac-dmg.yml @@ -45,9 +45,9 @@ jobs: openjfx-url: 'https://download2.gluonhq.com/openjfx/25/openjfx-25_osx-aarch64_bin-jmods.zip' openjfx-sha: '13f8c0513c40c95881479fbcf0465a29a60217393fb0656f5e4eab78a9442fba' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} @@ -281,7 +281,7 @@ jobs: run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db continue-on-error: true - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: dmg-${{ matrix.output-suffix }} path: | diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml index f35101148..d4f659e5e 100644 --- a/.github/workflows/no-response.yml +++ b/.github/workflows/no-response.yml @@ -12,7 +12,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 with: days-before-stale: 14 days-before-close: 0 diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml index f18a5db65..d90f33f4a 100644 --- a/.github/workflows/pullrequest.yml +++ b/.github/workflows/pullrequest.yml @@ -16,8 +16,8 @@ jobs: name: Compile and Test runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 - - uses: actions/setup-java@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 + - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} diff --git a/.github/workflows/release-check.yml b/.github/workflows/release-check.yml index 2d8ba91d6..bacec536d 100644 --- a/.github/workflows/release-check.yml +++ b/.github/workflows/release-check.yml @@ -19,9 +19,9 @@ jobs: name: Validate commits pushed to release/hotfix branch to fulfill release requirements runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ env.JAVA_DIST }} java-version: ${{ env.JAVA_VERSION }} @@ -49,7 +49,7 @@ jobs: exit 1 fi - name: Cache NVD DB - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 with: path: ~/.m2/repository/org/owasp/dependency-check-data/ key: dependency-check-${{ github.run_id }} diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index b261d293e..a63ef1c8b 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -12,7 +12,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v10 + - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 with: days-before-stale: 365 days-before-close: 90 diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index e450aa465..d427280cf 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -55,9 +55,9 @@ jobs: java-version: '24.0.1+9' java-package: 'jdk' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ matrix.java-dist }} java-version: ${{ matrix.java-version }} @@ -271,7 +271,7 @@ jobs: GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: msi-${{ matrix.arch }} path: | @@ -293,21 +293,21 @@ jobs: java-version: '24.0.1+9' java-package: 'jdk' steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Install wix and extensions run: | dotnet tool install --global wix --version 6.0.0 wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global wix.exe extension add WixToolset.Util.wixext/6.0.0 --global - name: Download .msi - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: name: msi-${{ matrix.arch }} path: dist/win/bundle/resources - name: Strip version info from msi file name run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi - name: Setup Java - uses: actions/setup-java@v5 + uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 with: distribution: ${{ matrix.java-dist }} java-version: ${{ matrix.java-version }} @@ -390,7 +390,7 @@ jobs: GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} - name: Upload artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 with: name: exe-${{ matrix.executable-suffix }} path: | @@ -408,7 +408,7 @@ jobs: download-url-exe-x64: ${{ fromJSON(steps.publish.outputs.assets)[2].browser_download_url }} steps: - name: Download installers - uses: actions/download-artifact@v5 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 with: merge-multiple: true - name: Publish installers on GitHub Releases