[fix] Pin GitHub Actions to specific commit SHAs

Fix validate-pins CI check by pinning all unpinned actions to their exact commit SHA for security and reproducibility.
2026-03-14 09:27:41 +00:00 · 2026-03-13 02:04:43 +00:00
parent 3724ae7549
commit 5ef47de839
2 changed files with 7 additions and 7 deletions
--- a/.github/workflows/manual-api-changelog.yaml
+++ b/.github/workflows/manual-api-changelog.yaml
@@ -30,7 +30,7 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0 # Fetch all history for comparing versions

@@ -76,12 +76,12 @@ jobs:
          echo "✅ Validated versions: v$FROM_VERSION → v$TO_VERSION"

      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
        with:
          version: 10

      - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version: 'lts/*'
          cache: 'pnpm'
@@ -182,7 +182,7 @@ jobs:
          echo "✅ Changelog generated successfully"

      - name: Upload changelog artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: api-changelog-v${{ steps.validate_versions.outputs.from_version }}-to-v${{ steps.validate_versions.outputs.to_version }}
          path: |
--- a/.github/workflows/release-api-changelogs.yaml
+++ b/.github/workflows/release-api-changelogs.yaml
@@ -21,17 +21,17 @@ jobs:
      pull-requests: write
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0 # Fetch all history for comparing versions

      - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
        with:
          version: 10

      - name: Setup Node.js
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version: 'lts/*'
          cache: 'pnpm'