build: pin 20 third-party actions to immutable commit SHAs (#10625)

fix: pin 20 third-party actions to immutable commit SHAs Signed-off-by: Chris Nyhuis <cnyhuis@vigilantnow.com>
2026-04-08 16:38:03 -04:00 · 2026-04-07 10:55:54 -04:00
parent 5febc056a8
commit e36bf6d6b1
5 changed files with 21 additions and 21 deletions
--- a/.github/workflows/build-infra-dockers.yaml
+++ b/.github/workflows/build-infra-dockers.yaml
@@ -40,13 +40,13 @@ jobs:
          check-latest: true

      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -60,10 +60,10 @@ jobs:
          done

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Set Docker tags (all branches)
        run: |
@@ -77,7 +77,7 @@ jobs:
          echo "TAGS=$tags" >> $GITHUB_ENV

      - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
        with:
          context: .
          file: ./Dockerfile.${{ matrix.pkg }}
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -190,7 +190,7 @@ jobs:
          go-version: "~1.25.7" # temporarily stay on Go 1.25 due to linker error on Go 1.26
          cache: false

-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2

      - uses: actions/cache@v4
        with:
@@ -249,7 +249,7 @@ jobs:
          }

      - name: Sign files with Trusted Signing
-        uses: azure/trusted-signing-action@v0.5.1
+        uses: azure/trusted-signing-action@0d74250c661747df006298d0fb49944c10f16e03 # v0.5.1
        with:
          azure-tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
          azure-client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
@@ -299,7 +299,7 @@ jobs:
          go-version: ${{ needs.facts.outputs.go-version }}
          cache: false

-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2

      - uses: actions/cache@v4
        with:
@@ -350,7 +350,7 @@ jobs:
      - uses: actions/checkout@v5

      - name: Build syncthing in OmniOS VM
-        uses: vmactions/omnios-vm@v1
+        uses: vmactions/omnios-vm@68da93c6d9812b29fc90c5b5141b093f84a590fb # v1
        with:
          envs: "VERSION GO_VERSION CGO_ENABLED"
          usesh: true
@@ -723,7 +723,7 @@ jobs:
          go-version: ${{ needs.facts.outputs.go-version }}
          cache: false

-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@eab2afb99481ca09a4e91171a8e0aee0e89bfedd # v1
        with:
          ruby-version: '3.0'

@@ -731,7 +731,7 @@ jobs:
        run: |
          gem install fpm

-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2

      - uses: actions/cache@v4
        with:
@@ -1016,7 +1016,7 @@ jobs:
          go-version: ${{ needs.facts.outputs.go-version }}
          cache: false

-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2

      - uses: actions/cache@v4
        with:
@@ -1046,17 +1046,17 @@ jobs:
          EXTRA_LDFLAGS: "-linkmode=external -extldflags=-static"

      - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Set version tags
        run: |
@@ -1080,16 +1080,16 @@ jobs:

          echo Pushing to $tags
          echo "DOCKER_TAGS=$tags" >> $GITHUB_ENV
-
        env:
          REF_NAME: ${{github.ref_name}}
+
      - name: Prepare context dir
        run: |
          mkdir ctx
          mv bin/* script ctx

      - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
        with:
          context: ctx
          file: ${{ matrix.dockerfile }}
@@ -1165,7 +1165,7 @@ jobs:
        run: go run build.go assets

      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
        with:
          only-new-issues: true

--- a/.github/workflows/mirrors.yaml
+++ b/.github/workflows/mirrors.yaml
@@ -11,7 +11,7 @@ jobs:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - uses: yesolutions/mirror-action@master
+      - uses: yesolutions/mirror-action@662fce0eced8996f64d7fa264d76cddd84827f33 # master
        with:
          REMOTE: ssh://git@codeberg.org/${{ github.repository }}.git
          GIT_SSH_PRIVATE_KEY: ${{ secrets.CODEBERG_PUSH_KEY }}
--- a/.github/workflows/pr-metadata.yaml
+++ b/.github/workflows/pr-metadata.yaml
@@ -22,6 +22,6 @@ jobs:
    name: Set labels
    runs-on: ubuntu-latest
    steps:
-    - uses: srvaroa/labeler@v1
+    - uses: srvaroa/labeler@9c29ad1ef33d169f9ef33c52722faf47a566bcf3 # v1
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/.github/workflows/release-syncthing.yaml
+++ b/.github/workflows/release-syncthing.yaml
@@ -53,7 +53,7 @@ jobs:
          git push origin "$NEXT"

      - name: Trigger the build
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
        with:
          workflow: build-syncthing.yaml
          ref: refs/tags/${{ env.NEXT }}