ci: pin GH actions (#375)

matt-FFFFFF · web-flow · commit 8fc21b0e4a33 · 2025-06-13T09:23:53.000+01:00
uses pinact to pin gh actions to commit sha
diff --git a/.github/workflows/Prerelease.yml b/.github/workflows/Prerelease.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Display the path
@@ -38,18 +38,18 @@ jobs:
         shell: pwsh
         run: Invoke-Build -File .\src\ALZ.build.ps1
       - name: Upload pester results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pester-results
           path: .\src\Artifacts\testOutput
           if-no-files-found: warn
       - name: Upload zip module archive build
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: zip-archive
           path: .\src\Archive
           if-no-files-found: warn
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
         id: create_release
         with:
           config-name: prerelease-drafter.yml
@@ -60,18 +60,18 @@ jobs:
         run: |
           $tag_version = "${{ steps.create_release.outputs.tag_name }}".Replace("-alpha", "")
           ./package_ALZ.ps1 -version $tag_version -prerelease alpha
-      - uses: montudor/action-zip@v1
+      - uses: montudor/action-zip@a8e75c9faefcd80fac3baf53ef40b9b119d5b702 # v1
         with:
           args: zip -qq -r ALZ.zip ALZ
-      - uses: actions/upload-release-asset@v1.0.1
+      - uses: actions/upload-release-asset@64e5e85fc528f162d7ba7ce2d15a3bb67efb3d80 # v1.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./ALZ.zip
           asset_name: ALZ.zip
           asset_content_type: application/zip
-      - uses: eregon/publish-release@v1
+      - uses: eregon/publish-release@01df127f5e9a3c26935118e22e738d95b59d10ce # v1.0.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/PullRequest.yml b/.github/workflows/PullRequest.yml
@@ -16,7 +16,7 @@ jobs:
         pwsh: ['7.1.3', '7.5.0']
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Display the path
@@ -32,7 +32,7 @@ jobs:
         shell: pwsh
         run: Invoke-Build -File .\src\ALZ.build.ps1
       - name: Upload pester results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pester-results
           path: .\src\Artifacts\testOutput
diff --git a/.github/workflows/Release.yml b/.github/workflows/Release.yml
@@ -19,7 +19,7 @@ jobs:
     steps:
       # Drafts your next Release notes as Pull Requests are merged into "master"
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           fetch-depth: 0
       - name: Display the path
@@ -35,18 +35,18 @@ jobs:
         shell: pwsh
         run: Invoke-Build -File .\src\ALZ.build.ps1
       - name: Upload pester results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pester-results
           path: .\src\Artifacts\testOutput
           if-no-files-found: warn
       - name: Upload zip module archive build
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: zip-archive
           path: .\src\Archive
           if-no-files-found: warn
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@09c613e259eb8d4e7c81c2cb00618eb5fc4575a7 # v5.25.0
         id: create_release
         with:
           config-name: release-drafter.yml
@@ -56,18 +56,18 @@ jobs:
         shell: pwsh
         run: |
           ./package_ALZ.ps1 -version ${{ steps.create_release.outputs.tag_name }}
-      - uses: montudor/action-zip@v1
+      - uses: montudor/action-zip@a8e75c9faefcd80fac3baf53ef40b9b119d5b702 # v1
         with:
           args: zip -qq -r ALZ.zip ALZ
-      - uses: actions/upload-release-asset@v1.0.1
+      - uses: actions/upload-release-asset@64e5e85fc528f162d7ba7ce2d15a3bb67efb3d80 # v1.0.1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
           asset_path: ./ALZ.zip
           asset_name: ALZ.zip
           asset_content_type: application/zip
-      - uses: eregon/publish-release@v1
+      - uses: eregon/publish-release@01df127f5e9a3c26935118e22e738d95b59d10ce # v1.0.6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -13,4 +13,4 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
diff --git a/.github/workflows/pr-title-check.yml b/.github/workflows/pr-title-check.yml
@@ -12,6 +12,6 @@ jobs:
     name: Validate PR Title
     runs-on: ubuntu-latest
     steps:
-      - uses: amannn/action-semantic-pull-request@v5
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -15,14 +15,14 @@ jobs:
     name: super linter
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v3
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: latest
           terraform_wrapper: false
       - name: Run github/super-linter/slim
-        uses: github/super-linter/slim@v5
+        uses: github/super-linter/slim@45fc0d88288beee4701c62761281edfee85655d7 # v5.0.0
         env:
           # Lint all code
           VALIDATE_ALL_CODEBASE: true
diff --git a/.github/workflows/wiki-sync.yml b/.github/workflows/wiki-sync.yml
@@ -25,13 +25,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Source Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           repository: ${{ env.wiki_source_repo }}
           path: ${{ env.wiki_source_repo }}
 
       - name: Checkout Wiki Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
         with:
           repository: ${{ env.wiki_target_repo }}
           path: ${{ env.wiki_target_repo }}
