security: pin github actions by commit (#2719)

2026-06-28 15:14:18 +00:00 · 2026-03-06 19:20:25 -03:00
parent a788034148
commit 90e6ef88dc
9 changed files with 37 additions and 37 deletions
--- a/.github/workflows/pr-build.yml
+++ b/.github/workflows/pr-build.yml
@@ -13,49 +13,49 @@ jobs:
    if: contains(github.event.pull_request.labels.*.name, 'needs-build')
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.sha }}
          fetch-depth: 0
-      - uses: actions/setup-go@v6
+      - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
        with:
          go-version: '1.26.x'
          cache: true
-      - uses: goreleaser/goreleaser-action@v7
+      - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7
        with:
          version: '~> v2'
          args: release --snapshot --clean --config .goreleaser-pr.yml
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: task_linux_amd64
          path: dist/task_linux_amd64.tar.gz
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: task_linux_arm64
          path: dist/task_linux_arm64.tar.gz
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: task_darwin_amd64
          path: dist/task_darwin_amd64.tar.gz
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: task_darwin_arm64
          path: dist/task_darwin_arm64.tar.gz
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: task_windows_amd64
          path: dist/task_windows_amd64.zip
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: checksums
          path: dist/task_checksums.txt
-      - uses: peter-evans/find-comment@v4
+      - uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
        id: find-comment
        with:
          token: ${{ secrets.GH_PAT || github.token }}
          issue-number: ${{ github.event.pull_request.number }}
          body-includes: '📦 Build artifacts ready!'
-      - uses: peter-evans/create-or-update-comment@v5
+      - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
        with:
          token: ${{ secrets.GH_PAT || github.token }}
          comment-id: ${{ steps.find-comment.outputs.comment-id }}