ci: pin third party actions to commit shas (#7687)

AriPerkkio · web-flow · commit 10bbbe969ee3 · 2025-03-17T13:48:38.000+02:00
diff --git a/.github/actions/setup-and-cache/action.yml b/.github/actions/setup-and-cache/action.yml
@@ -11,7 +11,7 @@ runs:
 
   steps:
     - name: Install pnpm
-      uses: pnpm/action-setup@v4
+      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
     - name: Set node version to ${{ inputs.node-version }}
       uses: actions/setup-node@v4
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -11,6 +11,11 @@
     {
       "depTypeList": ["peerDependencies"],
       "enabled": false
+    },
+    {
+      "matchDepTypes": ["action"],
+      "excludePackagePrefixes": ["actions/", "github/"],
+      "pinDigests": true
     }
   ],
   "ignoreDeps": [
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -97,7 +97,7 @@ jobs:
         with:
           node-version: ${{ matrix.node_version }}
 
-      - uses: browser-actions/setup-chrome@v1
+      - uses: browser-actions/setup-chrome@c785b87e244131f27c9f19c1a33e2ead956ab7ce # v1.7.3
 
       - name: Install
         run: pnpm i
@@ -139,8 +139,8 @@ jobs:
         with:
           node-version: 20
 
-      - uses: browser-actions/setup-chrome@v1
-      - uses: browser-actions/setup-firefox@v1
+      - uses: browser-actions/setup-chrome@c785b87e244131f27c9f19c1a33e2ead956ab7ce # v1.7.3
+      - uses: browser-actions/setup-firefox@634a60ccd6599686158cf5a570481b4cd30455a2 # v1.5.4
 
       - name: Install
         run: pnpm i
diff --git a/.github/workflows/cr.yml b/.github/workflows/cr.yml
@@ -24,7 +24,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Set node version to 20
         uses: actions/setup-node@v4
diff --git a/.github/workflows/ecosystem-ci-trigger.yml b/.github/workflows/ecosystem-ci-trigger.yml
@@ -61,7 +61,7 @@ jobs:
               repo: pr.head.repo.full_name
             }
       - id: generate-token
-        uses: tibdex/github-app-token@v2
+        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
         with:
           app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}
           installation_retrieval_payload: '${{ github.repository_owner }}/vitest-ecosystem-ci'
diff --git a/.github/workflows/issue-close-require.yml b/.github/workflows/issue-close-require.yml
@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: needs reproduction
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
         with:
           actions: close-issues
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/issue-labeled.yml b/.github/workflows/issue-labeled.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: needs reproduction
         if: github.event.label.name == 'needs reproduction'
-        uses: actions-cool/issues-helper@v3
+        uses: actions-cool/issues-helper@a610082f8ac0cf03e357eb8dd0d5e2ba075e017e # v3.6.0
         with:
           actions: create-comment
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/lock-closed-issues.yml b/.github/workflows/lock-closed-issues.yml
@@ -12,7 +12,7 @@ jobs:
     if: github.repository == 'vitest-dev/vitest'
     runs-on: ubuntu-latest
     steps:
-      - uses: dessant/lock-threads@v5
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           issue-inactive-days: '14'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -20,7 +20,7 @@ jobs:
           fetch-depth: 0
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Set node version to 20
         uses: actions/setup-node@v4
diff --git a/docs/guide/improving-performance.md b/docs/guide/improving-performance.md
@@ -115,7 +115,7 @@ jobs:
           node-version: 20
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Install dependencies
         run: pnpm i
@@ -144,7 +144,7 @@ jobs:
           node-version: 20
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
 
       - name: Install dependencies
         run: pnpm i

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,11 @@`
`11`	`11`	`{`
`12`	`12`	`"depTypeList": ["peerDependencies"],`
`13`	`13`	`"enabled": false`
	`14`	`+ },`
	`15`	`+ {`
	`16`	`+ "matchDepTypes": ["action"],`
	`17`	`+ "excludePackagePrefixes": ["actions/", "github/"],`
	`18`	`+ "pinDigests": true`
`14`	`19`	`}`
`15`	`20`	`],`
`16`	`21`	`"ignoreDeps": [`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ jobs:`
`61`	`61`	`repo: pr.head.repo.full_name`
`62`	`62`	`}`
`63`	`63`	`- id: generate-token`
`64`		`- uses: tibdex/github-app-token@v2`
	`64`	`+ uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0`
`65`	`65`	`with:`
`66`	`66`	`app_id: ${{ secrets.ECOSYSTEM_CI_GITHUB_APP_ID }}`
`67`	`67`	`installation_retrieval_payload: '${{ github.repository_owner }}/vitest-ecosystem-ci'`