From 27eae80466a43ea5e181309fb150730b0283c9a0 Mon Sep 17 00:00:00 2001 From: "Simon L." Date: Thu, 22 Jan 2026 17:50:28 +0100 Subject: [PATCH] pin all actions via commit hash Signed-off-by: Simon L. --- .github/workflows/codespell.yml | 2 +- .github/workflows/collabora.yml | 2 +- .github/workflows/community-containers.yml | 2 +- .github/workflows/dependency-updates.yml | 2 +- .github/workflows/docker-lint.yml | 2 +- .github/workflows/helm-release.yml | 2 +- .github/workflows/imaginary-update.yml | 2 +- .github/workflows/json-validator.yml | 2 +- .github/workflows/lint-helm.yml | 2 +- .github/workflows/lint-php.yml | 2 +- .github/workflows/nextcloud-update.yml | 2 +- .github/workflows/php-deprecation-detector.yml | 2 +- .github/workflows/playwright-on-push.yml | 6 +++--- .github/workflows/playwright-on-workflow-dispatch.yml | 6 +++--- .github/workflows/psalm-update-baseline.yml | 2 +- .github/workflows/psalm.yml | 2 +- .github/workflows/shellcheck.yml | 2 +- .github/workflows/talk.yml | 2 +- .github/workflows/twig-lint.yml | 2 +- .github/workflows/update-copyright.yml | 2 +- .github/workflows/update-helm.yml | 2 +- .github/workflows/update-yaml.yml | 2 +- .github/workflows/watchtower-update.yml | 2 +- zizmor.yml | 6 ++---- 24 files changed, 29 insertions(+), 31 deletions(-) diff --git a/.github/workflows/codespell.yml b/.github/workflows/codespell.yml index 2fff5ddb..94af09c8 100644 --- a/.github/workflows/codespell.yml +++ b/.github/workflows/codespell.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check spelling uses: codespell-project/actions-codespell@8f01853be192eb0f849a5c7d721450e7a467c579 # v2 with: diff --git a/.github/workflows/collabora.yml b/.github/workflows/collabora.yml index abf5d520..39758f3e 100644 --- a/.github/workflows/collabora.yml +++ b/.github/workflows/collabora.yml @@ -10,7 +10,7 @@ jobs: name: update collabora runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run collabora-profile-update run: | rm -f php/cool-seccomp-profile.json diff --git a/.github/workflows/community-containers.yml b/.github/workflows/community-containers.yml index cfe35ee0..c901358d 100644 --- a/.github/workflows/community-containers.yml +++ b/.github/workflows/community-containers.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Validate structure run: | CONTAINERS="$(find ./community-containers -mindepth 1 -maxdepth 1 -type d)" diff --git a/.github/workflows/dependency-updates.yml b/.github/workflows/dependency-updates.yml index 3a40363b..66404af5 100644 --- a/.github/workflows/dependency-updates.yml +++ b/.github/workflows/dependency-updates.yml @@ -10,7 +10,7 @@ jobs: name: Run dependency update script runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 with: php-version: 8.4 diff --git a/.github/workflows/docker-lint.yml b/.github/workflows/docker-lint.yml index b9ce68ef..7a5509df 100644 --- a/.github/workflows/docker-lint.yml +++ b/.github/workflows/docker-lint.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Install hadolint run: | diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index f621f229..528c6cd3 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Turnstyle uses: softprops/turnstyle@e565d2d86403c5d23533937e95980570545e5586 # v2 diff --git a/.github/workflows/imaginary-update.yml b/.github/workflows/imaginary-update.yml index 7440a09f..e182b073 100644 --- a/.github/workflows/imaginary-update.yml +++ b/.github/workflows/imaginary-update.yml @@ -10,7 +10,7 @@ jobs: name: update to latest imaginary commit on master branch runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run imaginary-update run: | # Imaginary diff --git a/.github/workflows/json-validator.yml b/.github/workflows/json-validator.yml index 4213296b..68b66812 100644 --- a/.github/workflows/json-validator.yml +++ b/.github/workflows/json-validator.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Validate Json run: | sudo apt-get update diff --git a/.github/workflows/lint-helm.yml b/.github/workflows/lint-helm.yml index 1ea877a6..e65d7cdc 100644 --- a/.github/workflows/lint-helm.yml +++ b/.github/workflows/lint-helm.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: fetch-depth: 0 diff --git a/.github/workflows/lint-php.yml b/.github/workflows/lint-php.yml index 12cba439..69c42c2b 100644 --- a/.github/workflows/lint-php.yml +++ b/.github/workflows/lint-php.yml @@ -36,7 +36,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/nextcloud-update.yml b/.github/workflows/nextcloud-update.yml index b96ac2b9..aaaa26eb 100644 --- a/.github/workflows/nextcloud-update.yml +++ b/.github/workflows/nextcloud-update.yml @@ -11,7 +11,7 @@ jobs: name: Run nextcloud-update script runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run nextcloud-update script run: | # Inspired by https://github.com/nextcloud/docker/blob/master/update.sh diff --git a/.github/workflows/php-deprecation-detector.yml b/.github/workflows/php-deprecation-detector.yml index ee35830c..61ae7c0d 100644 --- a/.github/workflows/php-deprecation-detector.yml +++ b/.github/workflows/php-deprecation-detector.yml @@ -16,7 +16,7 @@ jobs: name: PHP Deprecation Detector runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up php uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 with: diff --git a/.github/workflows/playwright-on-push.yml b/.github/workflows/playwright-on-push.yml index 28ba7d9c..2eda156e 100644 --- a/.github/workflows/playwright-on-push.yml +++ b/.github/workflows/playwright-on-push.yml @@ -24,9 +24,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: lts/* @@ -114,7 +114,7 @@ jobs: exit 1 fi - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: ${{ !cancelled() }} with: name: playwright-report diff --git a/.github/workflows/playwright-on-workflow-dispatch.yml b/.github/workflows/playwright-on-workflow-dispatch.yml index 483811f2..ab31c564 100644 --- a/.github/workflows/playwright-on-workflow-dispatch.yml +++ b/.github/workflows/playwright-on-workflow-dispatch.yml @@ -13,9 +13,9 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6 with: node-version: lts/* @@ -82,7 +82,7 @@ jobs: exit 1 fi - - uses: actions/upload-artifact@v6 + - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 if: ${{ !cancelled() }} with: name: playwright-report diff --git a/.github/workflows/psalm-update-baseline.yml b/.github/workflows/psalm-update-baseline.yml index 14715108..45860741 100644 --- a/.github/workflows/psalm-update-baseline.yml +++ b/.github/workflows/psalm-update-baseline.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up php uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 diff --git a/.github/workflows/psalm.yml b/.github/workflows/psalm.yml index cbc77bf5..47a6994c 100644 --- a/.github/workflows/psalm.yml +++ b/.github/workflows/psalm.yml @@ -32,7 +32,7 @@ jobs: name: static-psalm-analysis steps: - name: Checkout - uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # v5.0.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index 0ef69085..8b746c05 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -15,7 +15,7 @@ jobs: name: Check Shell runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run Shellcheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 with: diff --git a/.github/workflows/talk.yml b/.github/workflows/talk.yml index c1b96d24..6057ed1a 100644 --- a/.github/workflows/talk.yml +++ b/.github/workflows/talk.yml @@ -10,7 +10,7 @@ jobs: name: update talk runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run talk-container-update run: | # Recording diff --git a/.github/workflows/twig-lint.yml b/.github/workflows/twig-lint.yml index 3b04704d..07e6549b 100644 --- a/.github/workflows/twig-lint.yml +++ b/.github/workflows/twig-lint.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up php ${{ matrix.php-versions }} uses: shivammathur/setup-php@7bf05c6b704e0b9bfee22300130a31b5ea68d593 # v2 diff --git a/.github/workflows/update-copyright.yml b/.github/workflows/update-copyright.yml index 95329d3c..f453a05c 100644 --- a/.github/workflows/update-copyright.yml +++ b/.github/workflows/update-copyright.yml @@ -8,4 +8,4 @@ jobs: name: update copyright runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/update-helm.yml b/.github/workflows/update-helm.yml index 2f441735..69974d3a 100644 --- a/.github/workflows/update-helm.yml +++ b/.github/workflows/update-helm.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: update helm chart run: | set -x diff --git a/.github/workflows/update-yaml.yml b/.github/workflows/update-yaml.yml index 41b0adf2..41a54a41 100644 --- a/.github/workflows/update-yaml.yml +++ b/.github/workflows/update-yaml.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: update yaml files run: | sudo bash manual-install/update-yaml.sh diff --git a/.github/workflows/watchtower-update.yml b/.github/workflows/watchtower-update.yml index b26cd1a4..34938de0 100644 --- a/.github/workflows/watchtower-update.yml +++ b/.github/workflows/watchtower-update.yml @@ -10,7 +10,7 @@ jobs: name: update watchtower runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Run watchtower-container-update run: | # Watchtower diff --git a/zizmor.yml b/zizmor.yml index a991eaa5..7601baa4 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -4,7 +4,5 @@ rules: dangerous-triggers: ignore: - build_images.yml - unpinned-uses: - config: - policies: - actions/*: ref-pin + artipacked: + disable: true