From e36bf6d6b1f5948bb97752ad76cb11d0c3cfe47f Mon Sep 17 00:00:00 2001
From: dagecko <cnyhuis@vigilantnow.com>
Date: Tue, 7 Apr 2026 10:55:54 -0400
Subject: [PATCH] build: pin 20 third-party actions to immutable commit SHAs
 (#10625)

fix: pin 20 third-party actions to immutable commit SHAs

Signed-off-by: Chris Nyhuis <cnyhuis@vigilantnow.com>
---
 .github/workflows/build-infra-dockers.yaml | 10 ++++-----
 .github/workflows/build-syncthing.yaml     | 26 +++++++++++-----------
 .github/workflows/mirrors.yaml             |  2 +-
 .github/workflows/pr-metadata.yaml         |  2 +-
 .github/workflows/release-syncthing.yaml   |  2 +-
 5 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/build-infra-dockers.yaml b/.github/workflows/build-infra-dockers.yaml
index 36a6b2853..918cd5d36 100644
--- a/.github/workflows/build-infra-dockers.yaml
+++ b/.github/workflows/build-infra-dockers.yaml
@@ -40,13 +40,13 @@ jobs:
           check-latest: true
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -60,10 +60,10 @@ jobs:
           done
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Set Docker tags (all branches)
         run: |
@@ -77,7 +77,7 @@ jobs:
           echo "TAGS=$tags" >> $GITHUB_ENV
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           context: .
           file: ./Dockerfile.${{ matrix.pkg }}
diff --git a/.github/workflows/build-syncthing.yaml b/.github/workflows/build-syncthing.yaml
index c25adb7dd..456df9ace 100644
--- a/.github/workflows/build-syncthing.yaml
+++ b/.github/workflows/build-syncthing.yaml
@@ -190,7 +190,7 @@ jobs:
           go-version: "~1.25.7" # temporarily stay on Go 1.25 due to linker error on Go 1.26
           cache: false
 
-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
 
       - uses: actions/cache@v4
         with:
@@ -249,7 +249,7 @@ jobs:
           }
 
       - name: Sign files with Trusted Signing
-        uses: azure/trusted-signing-action@v0.5.1
+        uses: azure/trusted-signing-action@0d74250c661747df006298d0fb49944c10f16e03 # v0.5.1
         with:
           azure-tenant-id: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
           azure-client-id: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
@@ -299,7 +299,7 @@ jobs:
           go-version: ${{ needs.facts.outputs.go-version }}
           cache: false
 
-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
 
       - uses: actions/cache@v4
         with:
@@ -350,7 +350,7 @@ jobs:
       - uses: actions/checkout@v5
 
       - name: Build syncthing in OmniOS VM
-        uses: vmactions/omnios-vm@v1
+        uses: vmactions/omnios-vm@68da93c6d9812b29fc90c5b5141b093f84a590fb # v1
         with:
           envs: "VERSION GO_VERSION CGO_ENABLED"
           usesh: true
@@ -723,7 +723,7 @@ jobs:
           go-version: ${{ needs.facts.outputs.go-version }}
           cache: false
 
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@eab2afb99481ca09a4e91171a8e0aee0e89bfedd # v1
         with:
           ruby-version: '3.0'
 
@@ -731,7 +731,7 @@ jobs:
         run: |
           gem install fpm
 
-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
 
       - uses: actions/cache@v4
         with:
@@ -1016,7 +1016,7 @@ jobs:
           go-version: ${{ needs.facts.outputs.go-version }}
           cache: false
 
-      - uses: mlugg/setup-zig@v2
+      - uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2
 
       - uses: actions/cache@v4
         with:
@@ -1046,17 +1046,17 @@ jobs:
           EXTRA_LDFLAGS: "-linkmode=external -extldflags=-static"
 
       - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
 
       - name: Set version tags
         run: |
@@ -1080,16 +1080,16 @@ jobs:
 
           echo Pushing to $tags
           echo "DOCKER_TAGS=$tags" >> $GITHUB_ENV
-
         env:
           REF_NAME: ${{github.ref_name}}
+
       - name: Prepare context dir
         run: |
           mkdir ctx
           mv bin/* script ctx
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
         with:
           context: ctx
           file: ${{ matrix.dockerfile }}
@@ -1165,7 +1165,7 @@ jobs:
         run: go run build.go assets
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
           only-new-issues: true
 
diff --git a/.github/workflows/mirrors.yaml b/.github/workflows/mirrors.yaml
index ffc60592e..99eb472ec 100644
--- a/.github/workflows/mirrors.yaml
+++ b/.github/workflows/mirrors.yaml
@@ -11,7 +11,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - uses: yesolutions/mirror-action@master
+      - uses: yesolutions/mirror-action@662fce0eced8996f64d7fa264d76cddd84827f33 # master
         with:
           REMOTE: ssh://git@codeberg.org/${{ github.repository }}.git
           GIT_SSH_PRIVATE_KEY: ${{ secrets.CODEBERG_PUSH_KEY }}
diff --git a/.github/workflows/pr-metadata.yaml b/.github/workflows/pr-metadata.yaml
index b135e2208..c6364e909 100644
--- a/.github/workflows/pr-metadata.yaml
+++ b/.github/workflows/pr-metadata.yaml
@@ -22,6 +22,6 @@ jobs:
     name: Set labels
     runs-on: ubuntu-latest
     steps:
-    - uses: srvaroa/labeler@v1
+    - uses: srvaroa/labeler@9c29ad1ef33d169f9ef33c52722faf47a566bcf3 # v1
       env:
         GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/release-syncthing.yaml b/.github/workflows/release-syncthing.yaml
index f459beb9e..a80beec85 100644
--- a/.github/workflows/release-syncthing.yaml
+++ b/.github/workflows/release-syncthing.yaml
@@ -53,7 +53,7 @@ jobs:
           git push origin "$NEXT"
 
       - name: Trigger the build
-        uses: benc-uk/workflow-dispatch@v1
+        uses: benc-uk/workflow-dispatch@7a027648b88c2413826b6ddd6c76114894dc5ec4 # v1
         with:
           workflow: build-syncthing.yaml
           ref: refs/tags/${{ env.NEXT }}