Pin all gh actions to SHAs (#138)

jesserockz · web-flow · commit 4ba888b854f2 · 2025-10-03T22:18:59.000+13:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -79,12 +79,12 @@ jobs:
         file: ${{ fromJson(needs.prepare.outputs.files) }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5.0.0
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Replace project version
         run: |
           sed -i "s/version: dev/version: ${{ needs.prepare.outputs.version }}/g" ${{ matrix.file }}
       - name: Build Firmware
-        uses: esphome/build-action@v7.0.0
+        uses: esphome/build-action@76cd6898550762b189215bbe6e50e29080fd2c33 # v7.0.0
         id: esphome-build
         with:
           yaml-file: ${{ matrix.file }}
@@ -97,7 +97,7 @@ jobs:
           mkdir -p output/${{ needs.prepare.outputs.version }}
           mv ${{ steps.esphome-build.outputs.name }}/* output/${{ needs.prepare.outputs.version }}/
       - name: Upload artifact
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           # yamllint disable-line rule:line-length
           name: ${{ inputs.combined-name != '' && format('{0}-{1}', needs.prepare.outputs.artifact-prefix, steps.esphome-build.outputs.name) || steps.esphome-build.outputs.original-name }}
@@ -112,7 +112,7 @@ jobs:
     if: inputs.combined-name != ''
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: files
           pattern: ${{ needs.prepare.outputs.artifact-prefix }}-*
@@ -126,7 +126,7 @@ jobs:
           echo "EOF" >> $GITHUB_OUTPUT
 
       - name: Delete prefixed artifacts
-        uses: geekyeggo/delete-artifact@v5.1.0
+        uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0
         with:
           name: ${{ steps.artifacts.outputs.artifacts }}
 
@@ -147,7 +147,7 @@ jobs:
             files/*/$version/manifest.json > output/$version/manifest.json
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v4.6.2
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: ${{ inputs.combined-name }}
           path: output
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Lock closed issues and PRs
-        uses: actions/github-script@v8.0.0
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const PR_CLOSE_DAYS = ${{ inputs.pr-close-days }};
diff --git a/.github/workflows/promote-r2.yml b/.github/workflows/promote-r2.yml
@@ -29,7 +29,7 @@ jobs:
     environment: ${{ inputs.channel }}
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: files
 
@@ -47,7 +47,7 @@ jobs:
           done
 
       - name: Upload ${{ inputs.manifest-filename }} to R2
-        uses: ryand56/r2-upload-action@v1.4
+        uses: ryand56/r2-upload-action@b801a390acbdeb034c5e684ff5e1361c06639e7c # v1.4
         with:
           r2-account-id: ${{ secrets.CLOUDFLARE_R2_ACCOUNT_ID }}
           r2-access-key-id: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY_ID }}
diff --git a/.github/workflows/upload-to-gh-release.yml b/.github/workflows/upload-to-gh-release.yml
@@ -16,7 +16,7 @@ jobs:
       contents: write
     steps:
       - name: Download Artifact
-        uses: actions/download-artifact@v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: files
 
@@ -52,7 +52,7 @@ jobs:
           popd
 
       - name: Upload files to release
-        uses: softprops/action-gh-release@v2.3.3
+        uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
         with:
           files: output/*
           tag_name: ${{ inputs.version }}
diff --git a/.github/workflows/upload-to-r2.yml b/.github/workflows/upload-to-r2.yml
@@ -17,14 +17,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v4.3.0
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
           path: files
 
       - run: tree
 
       - name: Upload files to R2
-        uses: ryand56/r2-upload-action@v1.4
+        uses: ryand56/r2-upload-action@b801a390acbdeb034c5e684ff5e1361c06639e7c # v1.4
         with:
           r2-account-id: ${{ secrets.CLOUDFLARE_R2_ACCOUNT_ID }}
           r2-access-key-id: ${{ secrets.CLOUDFLARE_R2_ACCESS_KEY_ID }}
