From 739ee6320ad624708a230d12de8047c746ab62d5 Mon Sep 17 00:00:00 2001 From: joel-phantom <222027182+joel-phantom@users.noreply.github.com> Date: Thu, 2 Apr 2026 19:02:58 +0000 Subject: [PATCH] chore: pin external GitHub Actions to full commit SHAs Pin all unpinned external GitHub Action `uses:` references to their current full 40-character commit SHAs, with original ref in a comment. This is part of the org-wide supply chain security hardening effort. Refs: SEC-7928, SEC-6683 --- .github/workflows/android-ci.yml | 8 ++++---- .github/workflows/detox.yml | 4 ++-- .github/workflows/ios-ci.yml | 4 ++-- .github/workflows/macos-ci.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- .github/workflows/stale.yml | 2 +- .github/workflows/windows-ci.yml | 6 +++--- 7 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/android-ci.yml b/.github/workflows/android-ci.yml index 8ea24b6db0..ff64974664 100644 --- a/.github/workflows/android-ci.yml +++ b/.github/workflows/android-ci.yml @@ -13,14 +13,14 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: 'yarn' - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4 with: distribution: temurin java-version: 17 @@ -28,7 +28,7 @@ jobs: run: yarn --frozen-lockfile shell: bash - name: Build Android test app - uses: gradle/gradle-build-action@v2 + uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa # v2 with: gradle-version: wrapper arguments: -PnewArchEnabled=${{matrix.newArchEnabled}} --no-daemon clean build check test diff --git a/.github/workflows/detox.yml b/.github/workflows/detox.yml index 7fce0ee03e..2195f0e9ed 100644 --- a/.github/workflows/detox.yml +++ b/.github/workflows/detox.yml @@ -7,9 +7,9 @@ jobs: runs-on: 'macOS-latest' steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: 'yarn' diff --git a/.github/workflows/ios-ci.yml b/.github/workflows/ios-ci.yml index 46ae130e79..0c6dce0de9 100644 --- a/.github/workflows/ios-ci.yml +++ b/.github/workflows/ios-ci.yml @@ -12,9 +12,9 @@ jobs: runs-on: macos-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: 'yarn' diff --git a/.github/workflows/macos-ci.yml b/.github/workflows/macos-ci.yml index bd6f368acb..d349738118 100644 --- a/.github/workflows/macos-ci.yml +++ b/.github/workflows/macos-ci.yml @@ -9,9 +9,9 @@ jobs: runs-on: macos-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 20 cache: 'yarn' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f92474b341..a02072fdc1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,13 +16,13 @@ jobs: pull-requests: write steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Enable Corepack run: corepack enable - name: Setup Node.js 20.x - uses: actions/setup-node@v3 + uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: 20.x diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index ebee3eb173..d386612343 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -7,7 +7,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3.0.14 + - uses: actions/stale@87c2b794b9b47a9bec68ae03c01aeb572ffebdb1 # v3.0.14 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: 'Hello 👋, this issue has been opened for more than 2 months with no activity on it. If the issue is still here, please keep in mind that we need community support and help to fix it! Just comment something like _still searching for solutions_ and if you found one, please open a pull request! You have 7 days until this gets closed automatically' diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml index 52c6372855..be31858d8d 100644 --- a/.github/workflows/windows-ci.yml +++ b/.github/workflows/windows-ci.yml @@ -7,17 +7,17 @@ jobs: runs-on: windows-2022 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 name: Checkout Code - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: '20' cache: 'yarn' - name: Setup MSBuild - uses: microsoft/setup-msbuild@v1.1.3 + uses: microsoft/setup-msbuild@34cfbaee7f672c76950673338facd8a73f637506 # v1.1.3 with: vs-version: '[17.0,)' msbuild-architecture: x64