chore(deps): pin dependencies (#729)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-19 14:08:24 -04:00 · 2026-04-02 23:44:53 +02:00
parent 95aadf6e73
commit afc77f55b8
5 changed files with 27 additions and 27 deletions
--- a/.github/actions/install-dependencies/action.yml
+++ b/.github/actions/install-dependencies/action.yml
@@ -5,11 +5,11 @@ description: Install dependencies
 runs:
  using: "composite"
  steps:
-    - uses: socketdev/action@v1
+    - uses: socketdev/action@937f824ec476dfd164d4a4d9995751427b0be143 # v1
      with:
        mode: firewall

-    - uses: oven-sh/setup-bun@v2
+    - uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2
      name: Install Bun
      with:
        bun-version: "1.3.11"
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -20,14 +20,14 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

      - name: Install dependencies
        uses: "./.github/actions/install-dependencies"

-      - uses: oxc-project/oxlint-action@latest
+      - uses: oxc-project/oxlint-action@0cc5d219e22e8cdfd8f67be492213ad3860e25e4 # latest
        with:
          config: .oxlintrc.json
          deny-warnings: true
@@ -38,7 +38,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

@@ -54,7 +54,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

@@ -70,7 +70,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

@@ -86,7 +86,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 1

--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -12,7 +12,7 @@ jobs:
    timeout-minutes: 20
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install dependencies
        uses: "./.github/actions/install-dependencies"
@@ -26,7 +26,7 @@ jobs:

      - name: Cache Playwright Browsers
        id: playwright-cache
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ~/.cache/ms-playwright
          key: ${{ runner.os }}-playwright-${{ steps.playwright-version.outputs.version }}
@@ -94,7 +94,7 @@ jobs:
        run: |
          docker exec zerobyte /bin/ash -c "ls -la /test-data" || true

-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
        if: always()
        with:
          name: playwright-report
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -14,23 +14,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Log in to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          driver: cloud
          endpoint: "meienberger/runtipi-builder"
          install: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
@@ -38,14 +38,14 @@ jobs:

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/zerobyte
          tags: |
            type=raw,value=nightly

      - name: Push images to GitHub Container Registry
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          target: production
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -43,33 +43,33 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          ref: ${{ github.ref }}

      - name: Log in to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
        with:
          driver: cloud
          endpoint: "meienberger/runtipi-builder"
          install: true

      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build docker image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          target: production
@@ -82,7 +82,7 @@ jobs:

      - name: Scan new image for vulnerabilities
        if: needs.determine-release-type.outputs.release_type == 'release'
-        uses: anchore/scan-action@v7
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7
        id: scan
        with:
          image: local/zerobyte:ci
@@ -92,13 +92,13 @@ jobs:

      - name: upload Anchore scan report
        if: needs.determine-release-type.outputs.release_type == 'release'
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

      - name: Docker meta
        id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6
        with:
          images: ghcr.io/${{ github.repository_owner }}/zerobyte
          tags: |
@@ -110,7 +110,7 @@ jobs:
            latest=${{ needs.determine-release-type.outputs.release_type == 'release' }}

      - name: Push images to GitHub Container Registry
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7
        with:
          context: .
          target: production
@@ -130,7 +130,7 @@ jobs:
    steps:
      - name: Create GitHub release
        id: create_release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with: