Skip to content

Commit eb80105

Browse files
authored
chore: pin GitHub Actions versions to commit hashes (#123)
This will help prevent attacks such as [this one](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/). Dependabot is able to update these versions automatically, and it will preserve the readable version comments.
1 parent 5e2124a commit eb80105

File tree

3 files changed

+8
-8
lines changed

3 files changed

+8
-8
lines changed

.github/workflows/project_add.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
if: ${{ github.actor != 'dependabot[bot]' }}
2121
steps:
22-
- uses: actions/add-to-project@v1.0.2
22+
- uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
2323
with:
2424
project-url: https://github.com/orgs/MeltanoLabs/projects/3
2525
github-token: ${{ secrets.MELTYBOT_PROJECT_ADD_PAT }}

.github/workflows/release.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,20 +14,20 @@ jobs:
1414
runs-on: ubuntu-latest
1515
steps:
1616
- name: Checkout
17-
uses: actions/checkout@v4
17+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
1818
with:
1919
fetch-depth: 0
2020

2121
- run: git fetch --force --tags
2222

2323
- name: Set up Go
24-
uses: actions/setup-go@v5
24+
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
2525
with:
2626
go-version: 1.24
2727
cache: true
2828

2929
- name: Run GoReleaser
30-
uses: goreleaser/goreleaser-action@v6
30+
uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1
3131
with:
3232
distribution: goreleaser
3333
version: latest

.github/workflows/test.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,9 @@ jobs:
2626
runs-on: ${{ matrix.os }}
2727
steps:
2828
- name: Checkout code
29-
uses: actions/checkout@v4
29+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
3030
- name: Install Go
31-
uses: actions/setup-go@v5
31+
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
3232
with:
3333
go-version: ${{ matrix.go-version }}
3434
cache: true
@@ -50,7 +50,7 @@ jobs:
5050
runs-on: ubuntu-latest
5151
steps:
5252
- name: Checkout code
53-
uses: actions/checkout@v4
53+
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
5454

5555
- name: Start MinIO
5656
if: ${{ matrix.fs == 's3' }}
@@ -66,7 +66,7 @@ jobs:
6666
quay.io/minio/minio server /data --console-address ":9090"
6767
6868
- name: Install Go
69-
uses: actions/setup-go@v5
69+
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
7070
with:
7171
go-version: stable
7272
cache: true

0 commit comments

Comments
 (0)