From 08e40f5dc48ee532cfc51d02ecf8f32ad31ff094 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Sat, 7 Jun 2025 21:59:49 -0400 Subject: [PATCH] Pin GitHub actions to a hash per zizmor --- .github/workflows/codeql.yml | 4 ++-- .github/workflows/release-python.yml | 4 ++-- .github/workflows/test-python.yml | 2 +- .github/workflows/zizmor.yml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index e2b43d62..dfc61e54 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -56,7 +56,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: languages: ${{ matrix.language }} build-mode: none @@ -72,6 +72,6 @@ jobs: pip install -e . - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/release-python.yml b/.github/workflows/release-python.yml index 987544c9..2e913338 100644 --- a/.github/workflows/release-python.yml +++ b/.github/workflows/release-python.yml @@ -80,14 +80,14 @@ jobs: name: all-dist-${{ github.run_id }} path: dist/ - name: Publish package distributions to TestPyPI - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1 with: repository-url: https://test.pypi.org/legacy/ skip-existing: true attestations: ${{ env.DRY_RUN }} - name: Publish package distributions to PyPI if: startsWith(env.DRY_RUN, 'false') - uses: pypa/gh-action-pypi-publish@release/v1 + uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1 post-publish: needs: [publish] diff --git a/.github/workflows/test-python.yml b/.github/workflows/test-python.yml index d471f3f2..d3fccebd 100644 --- a/.github/workflows/test-python.yml +++ b/.github/workflows/test-python.yml @@ -50,7 +50,7 @@ jobs: - name: Copy the test runner file run: cp .github/workflows/runtests.py django_repo/tests/runtests_.py - name: Start MongoDB - uses: supercharge/mongodb-github-action@1.12.0 + uses: supercharge/mongodb-github-action@90004df786821b6308fb02299e5835d0dae05d0d # 1.12.0 with: mongodb-version: 6.0 - name: Run tests diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0fbdbd6d..18bc342a 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -18,7 +18,7 @@ jobs: with: persist-credentials: false - name: Setup Rust - uses: actions-rust-lang/setup-rust-toolchain@v1 + uses: actions-rust-lang/setup-rust-toolchain@9d7e65c320fdb52dcd45ffaa68deb6c02c8754d9 # v1 - name: Get zizmor run: cargo install zizmor - name: Run zizmor @@ -26,7 +26,7 @@ jobs: env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3 with: sarif_file: results.sarif category: zizmor