misc: pin actions to a full-length commit SHA (#6984)

Co-authored-by: Joshua Chen <sidachen2003@gmail.com> Co-authored-by: Sébastien Lorber <slorber@users.noreply.github.com>
2025-12-26 01:33:02 +00:00 · 2022-04-13 11:45:19 -05:00 · 2022-04-13 11:45:19 -05:00 · ce08891af3
parent 5fb0a2e274
commit ce08891af3
11 changed files with 67 additions and 35 deletions
--- a/.github/workflows/build-blog-only.yml
+++ b/.github/workflows/build-blog-only.yml
@ -7,14 +7,17 @@ on:
    paths:
      - packages/docusaurus/**

+permissions:
+  contents: read
+
 jobs:
  build:
    name: Build Blog-only
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
+      - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
--- a/.github/workflows/build-perf.yml
+++ b/.github/workflows/build-perf.yml
@ -12,18 +12,26 @@ on:
    paths-ignore:
      - website/docs/**

+permissions:
+  contents: read
+
 jobs:
  build-size:
+    permissions:
+      checks: write # for preactjs/compressed-size-action to create and update the checks
+      contents: read # for actions/checkout to fetch code
+      issues: write # for preactjs/compressed-size-action to create comments
+      pull-requests: write # for preactjs/compressed-size-action to write a PR review
    name: Build Size Report
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
+      - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
-      - uses: preactjs/compressed-size-action@v2
+      - uses: preactjs/compressed-size-action@8119d3d31b6e57b167e09c81dfa877eada3bcb35 # v2
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          build-script: build:website:en
@ -37,8 +45,8 @@ jobs:
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
+      - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          cache: yarn
      - name: Installation
--- a/.github/workflows/canary-release.yml
+++ b/.github/workflows/canary-release.yml
@ -7,16 +7,19 @@ on:
    paths:
      - packages/**

+permissions:
+  contents: read
+
 jobs:
  publish-canary:
    name: Publish Canary
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3
        with:
          fetch-depth: 0 # Needed to get the commit number with "git rev-list --count HEAD"
      - name: Set up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -27,12 +27,12 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@883476649888a9e8e219d5b2e6b789dc024f690c # v1
        with:
          languages: ${{ matrix.language }}

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@883476649888a9e8e219d5b2e6b789dc024f690c # v1
--- a/.github/workflows/lighthouse-report.yml
+++ b/.github/workflows/lighthouse-report.yml
@ -10,16 +10,16 @@ jobs:
    name: Lighthouse Report
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Wait for the Netlify Preview
-        uses: jakepartusch/wait-for-netlify-action@v1
+        uses: jakepartusch/wait-for-netlify-action@7dcdeb40c6bc3710a8099702a1fa1ce2c5e322a6 # v1
        id: netlify
        with:
          site_name: docusaurus-2
          max_timeout: 600
      - name: Audit URLs using Lighthouse
        id: lighthouse_audit
-        uses: treosh/lighthouse-ci-action@9.3.0
+        uses: treosh/lighthouse-ci-action@b4dfae3eb959c5226e2c5c6afd563d493188bfaf # 9.3.0
        with:
          urls: |
            https://deploy-preview-$PR_NUMBER--docusaurus-2.netlify.app/
@ -30,7 +30,7 @@ jobs:
          PR_NUMBER: ${{ github.event.pull_request.number}}
      - name: Format lighthouse score
        id: format_lighthouse_score
-        uses: actions/github-script@v6
+        uses: actions/github-script@9ac08808f993958e9de277fe43a64532a609130e # v6
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
          script: |
@ -55,7 +55,7 @@ jobs:

      - name: Add Lighthouse stats as comment
        id: comment_to_pr
-        uses: marocchino/sticky-pull-request-comment@v2.2.0
+        uses: marocchino/sticky-pull-request-comment@39c5b5dc7717447d0cba270cd115037d32d28443 # v2.2.0
        with:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          number: ${{ github.event.pull_request.number }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -5,14 +5,17 @@ on:
    branches:
      - main

+permissions:
+  contents: read
+
 jobs:
  lint:
    name: Lint
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
+      - uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
--- a/.github/workflows/showcase-test.yml
+++ b/.github/workflows/showcase-test.yml
@ -7,15 +7,18 @@ on:
    paths:
      - website/src/data/**

+permissions:
+  contents: read
+
 jobs:
  validate-config:
    name: Validate Showcase Config
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Set up Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
--- a/.github/workflows/tests-e2e.yml
+++ b/.github/workflows/tests-e2e.yml
@ -12,6 +12,9 @@ on:
    paths-ignore:
      - website/**

+permissions:
+  contents: read
+
 jobs:
  yarn-v1:
    name: E2E — Yarn v1
@ -21,9 +24,9 @@ jobs:
      matrix:
        node: ['14', '16', '17']
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Use Node.js ${{ matrix.node }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: ${{ matrix.node }}
          cache: yarn
@ -59,9 +62,9 @@ jobs:
          - variant: -st
            nodeLinker: pnp
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
@ -104,9 +107,9 @@ jobs:
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3
      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
@ -133,9 +136,9 @@ jobs:
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 #v3
      - name: Use Node.js 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: '16'
          cache: yarn
--- a/.github/workflows/tests-swizzle.yml
+++ b/.github/workflows/tests-swizzle.yml
@ -7,6 +7,9 @@ on:
    paths:
      - packages/**

+permissions:
+  contents: read
+
 jobs:
  test:
    name: Swizzle
@ -17,9 +20,9 @@ jobs:
        action: ['eject', 'wrap']
        variant: ['js', 'ts']
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: 14
          cache: yarn
--- a/.github/workflows/tests-windows.yml
+++ b/.github/workflows/tests-windows.yml
@ -7,6 +7,9 @@ on:
    paths-ignore:
      - website/**

+permissions:
+  contents: read
+
 jobs:
  windows-test:
    name: Windows Tests
@ -18,9 +21,9 @@ jobs:
    steps:
      - name: Support longpaths
        run: git config --system core.longpaths true
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Use Node.js ${{ matrix.node }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: ${{ matrix.node }}
      - name: Installation
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@ -7,6 +7,9 @@ on:
    paths-ignore:
      - website/**

+permissions:
+  contents: read
+
 jobs:
  test:
    name: Tests
@ -16,9 +19,9 @@ jobs:
      matrix:
        node: ['14', '16', '17']
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846 # v3
      - name: Use Node.js ${{ matrix.node }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@9ced9a43a244f3ac94f13bfd896db8c8f30da67a # v3
        with:
          node-version: ${{ matrix.node }}
          cache: yarn