Use commit hashes for actions/checkout references (#229)

Copilot · mihaic · web-flow · commit b9542af8e141 · 2025-11-20T10:34:09.000-08:00
Updated all `actions/checkout` action references to use commit hashes instead of version tags for improved security and reproducibility. ## Changes - Replaced `actions/checkout@v6` with `actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0` in: - `.github/workflows/cibuildwheel.yml` - `.github/workflows/build-linux-arm.yml` - `.github/workflows/build-linux.yml` - `.github/workflows/build-macos.yaml` - `.github/workflows/pre-commit.yml` This aligns all workflow files with the existing pattern in `.github/workflows/skywalking-eyes.yml` and prevents potential tag hijacking attacks.  --- ✨ Let Copilot coding agent [set things up for you](https://github.com/intel/ScalableVectorSearch/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot) — coding agent works faster and does higher quality work when set up for your repo. --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: mihaic <165546+mihaic@users.noreply.github.com>
diff --git a/.github/workflows/build-linux-arm.yml b/.github/workflows/build-linux-arm.yml
@@ -45,7 +45,7 @@ jobs:
             cc: clang-15
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Configure build
       working-directory: ${{ runner.temp }}
diff --git a/.github/workflows/build-linux.yml b/.github/workflows/build-linux.yml
@@ -49,7 +49,7 @@ jobs:
             ivf: ON
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
     - name: Install MKL
       timeout-minutes: 5
       run: |
diff --git a/.github/workflows/build-macos.yaml b/.github/workflows/build-macos.yaml
@@ -44,7 +44,7 @@ jobs:
             needs_prefix: true
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Install Compiler
       run: |
diff --git a/.github/workflows/cibuildwheel.yml b/.github/workflows/cibuildwheel.yml
@@ -33,7 +33,7 @@ jobs:
     runs-on: ubuntu-22.04
 
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
 
     - name: Build Container
       run: |
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -21,7 +21,7 @@ jobs:
   pre-commit:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
     - uses: actions/setup-python@v6
       with:
         python-version: '3.12'
