ci: pin all GitHub Actions to full commit SHAs

Sapd · Sapd · commit 983d55e40f02 · 2026-01-07T21:44:06.000+01:00
Pin all action dependencies to their full commit SHA
diff --git a/.github/workflows/build-windows.yml b/.github/workflows/build-windows.yml
@@ -8,10 +8,10 @@ jobs:
       run:
         shell: msys2 {0}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-      - uses: msys2/setup-msys2@v2
+      - uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0
         with:
           msystem: MINGW64
           update: true
@@ -31,7 +31,7 @@ jobs:
           cd build
           ctest --output-on-failure
       - name: Upload artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: headsetcontrol.exe
           path: build/headsetcontrol.exe
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -33,14 +33,14 @@ jobs:
             shell: msys2 {0}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       # Windows: Setup MSYS2
       - name: Setup MSYS2
         if: runner.os == 'Windows'
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0
         with:
           msystem: MINGW64
           update: true
@@ -49,7 +49,7 @@ jobs:
       # Linux/macOS: Setup CMake and Ninja
       - name: Setup CMake and Ninja
         if: runner.os != 'Windows'
-        uses: lukka/get-cmake@latest
+        uses: lukka/get-cmake@9e07ecdcee1b12e5037e42f410b67f03e2f626e1 # v4.2.1
 
       # Linux: Install GCC 13 for C++20 support
       - name: Install GCC 13 (Ubuntu)
@@ -70,7 +70,7 @@ jobs:
       # Linux/macOS: Build with CMake Presets
       - name: Build and test (Unix)
         if: runner.os != 'Windows'
-        uses: lukka/run-cmake@v10
+        uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8
         with:
           configurePreset: 'default'
           buildPreset: 'default'
diff --git a/.github/workflows/check-whitespace.yml b/.github/workflows/check-whitespace.yml
@@ -15,7 +15,7 @@ jobs:
         shell: bash
         run: echo "COMMIT_DEPTH=$((1 + ${{ github.event.pull_request.commits }}))" >> $GITHUB_ENV
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: ${{ env.COMMIT_DEPTH }}
 
@@ -41,7 +41,7 @@ jobs:
 
       - name: Post PR comment
         if: steps.check.outputs.has_errors == 'true'
-        uses: actions/github-script@v7
+        uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b # v7.1.0
         with:
           script: |
             const fs = require('fs');
diff --git a/.github/workflows/clang-format.yml b/.github/workflows/clang-format.yml
@@ -16,12 +16,12 @@ jobs:
       contents: read
       pull-requests: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Run cpp-linter
-        uses: cpp-linter/cpp-linter-action@v2
+        uses: cpp-linter/cpp-linter-action@b6edc0625e3941baa1797f4b4326adeab6890c97 # v2.16.7
         id: linter
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/continuos-release.yml b/.github/workflows/continuos-release.yml
@@ -56,14 +56,14 @@ jobs:
             build_type: unix
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       # =========== Linux Setup ===========
       - name: Cache apt packages
         if: matrix.os_name == 'linux'
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: /var/cache/apt/archives
           key: ${{ runner.os }}-apt-${{ hashFiles('.github/workflows/continuos-release.yml') }}
@@ -87,7 +87,7 @@ jobs:
       # =========== macOS Setup ===========
       - name: Cache Homebrew
         if: matrix.os_name == 'macos'
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           path: |
             ~/Library/Caches/Homebrew
@@ -104,7 +104,7 @@ jobs:
       # =========== Windows MinGW Setup ===========
       - name: Setup MSYS2 (MinGW)
         if: matrix.build_type == 'mingw'
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0
         with:
           msystem: MINGW64
           update: true
@@ -113,19 +113,19 @@ jobs:
       # =========== Windows MSVC Setup ===========
       - name: Setup vcpkg (MSVC)
         if: matrix.build_type == 'msvc'
-        uses: lukka/run-vcpkg@v11
+        uses: lukka/run-vcpkg@5e0cab206a5ea620130caf672fce3e4a6b5666a1 # v11.5
         with:
           vcpkgGitCommitId: '01f602195983451bc83e72f4214af2cbc495aa94'  # 2024.05.24
           vcpkgJsonGlob: 'vcpkg.json'
 
       - name: Setup CMake and Ninja (MSVC)
         if: matrix.build_type == 'msvc'
-        uses: lukka/get-cmake@latest
+        uses: lukka/get-cmake@9e07ecdcee1b12e5037e42f410b67f03e2f626e1 # v4.2.1
 
       # =========== Linux/macOS CMake Setup ===========
       - name: Setup CMake and Ninja (Unix)
         if: matrix.build_type == 'unix'
-        uses: lukka/get-cmake@latest
+        uses: lukka/get-cmake@9e07ecdcee1b12e5037e42f410b67f03e2f626e1 # v4.2.1
 
       # =========== Build Steps ===========
 
@@ -143,7 +143,7 @@ jobs:
       # Windows MSVC Build
       - name: Build and test (Windows MSVC)
         if: matrix.build_type == 'msvc'
-        uses: lukka/run-cmake@v10
+        uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8
         with:
           configurePreset: 'windows-msvc'
           buildPreset: 'windows-msvc'
@@ -152,7 +152,7 @@ jobs:
       # Linux/macOS Build
       - name: Build and test (Unix)
         if: matrix.build_type == 'unix'
-        uses: lukka/run-cmake@v10
+        uses: lukka/run-cmake@af1be47fd7c933593f687731bc6fdbee024d3ff4 # v10.8
         with:
           configurePreset: 'default'
           buildPreset: 'default'
@@ -196,7 +196,7 @@ jobs:
 
       - name: Upload build artifacts (MinGW/Unix)
         if: matrix.build_type != 'msvc'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: headsetcontrol-${{ matrix.os_name }}-${{ matrix.architecture }}
           path: |
@@ -206,7 +206,7 @@ jobs:
 
       - name: Upload build artifacts (MSVC)
         if: matrix.build_type == 'msvc'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: headsetcontrol-${{ matrix.os_name }}-${{ matrix.architecture }}
           path: |
@@ -220,12 +220,12 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
 
       - name: Download all artifacts
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           merge-multiple: true
           path: ./artifacts
@@ -279,7 +279,7 @@ jobs:
           echo "*Built from commit: \`${{ github.sha }}\`*" >> CHANGELOG.md
 
       - name: Create/Update continuous release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
         with:
           tag: continuous
           name: 'Continuous Build'
diff --git a/.github/workflows/repo-device-requested.yml b/.github/workflows/repo-device-requested.yml
@@ -11,7 +11,7 @@ jobs:
       issues: write
     steps:
       - name: Add comment
-        uses: peter-evans/create-or-update-comment@v3
+        uses: peter-evans/create-or-update-comment@23ff15729ef2fc348714a3bb66d2f655ca9066f2 # v3.1.0
         with:
           issue-number: ${{ github.event.issue.number }}
           body: |
diff --git a/.github/workflows/repo-stale.yml b/.github/workflows/repo-stale.yml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v8
+      - uses: actions/stale@1160a2240286f5da8ec72b1c0816ce2481aabf84 # v8.0.0
         with:
           stale-issue-message: 'This issue is stale because it has been open 300 days with no activity. Remove stale label or comment or this will be closed in 60 days.'
           stale-pr-message: 'This PR is stale because it has been open 300 days with no activity. Remove stale label or comment or this will be closed in 60 days.'
