chore: Pin GitHub Action refs to specific SHAs (#79)

HowieHz · web-flow · commit b0d4166ac3ec · 2026-04-01T23:17:44.000+08:00
diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml
@@ -50,20 +50,20 @@ jobs:
             artifact_name: extra-api-lite
             artifact_path: build/libs/extra-api-lite-*.jar
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # https://github.com/actions/checkout/tree/v6
         with:
           submodules: true
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # https://github.com/actions/setup-java/tree/v5
         with:
           distribution: 'temurin'
           java-version: 21
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # https://github.com/gradle/actions/tree/v6
         with:
           cache-read-only: false
       - if: matrix.id != 'lite'
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # https://github.com/pnpm/action-setup/tree/v5
         name: Install pnpm
         id: pnpm-install
         with:
@@ -82,7 +82,7 @@ jobs:
           } >> "$GITHUB_OUTPUT"
       - if: matrix.id != 'lite'
         name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # https://github.com/actions/setup-node/tree/v6
         with:
           node-version: 25
           cache: 'pnpm'
@@ -147,13 +147,13 @@ jobs:
           PY
       - name: Upload Gradle profile report
         if: always()
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # https://github.com/actions/upload-artifact/tree/v7
         with:
           name: gradle-profile-${{ matrix.id }}
           path: build/reports/profile/profile-*.html
           retention-days: 1
       - name: Upload build artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # https://github.com/actions/upload-artifact/tree/v7
         with:
           name: ${{ matrix.artifact_name }}
           path: ${{ matrix.artifact_path }}
@@ -165,7 +165,7 @@ jobs:
     if: github.event_name == 'release'
     steps:
       - name: Download release artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # https://github.com/actions/download-artifact/tree/v8
         with:
           pattern: extra-api-*
           path: build/libs
@@ -178,7 +178,7 @@ jobs:
           echo "ARTIFACT_PATHNAMES=${ARTIFACT_PATHNAMES}" >> $GITHUB_ENV
           echo "RELEASE_ID=${{ github.event.release.id }}" >> $GITHUB_ENV
       - name: Upload Release Assets
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # https://github.com/actions/github-script/tree/v8
         if: github.event_name == 'release'
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -11,19 +11,19 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # https://github.com/actions/checkout/tree/v6
         with:
           submodules: true
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # https://github.com/actions/setup-java/tree/v5
         with:
           distribution: 'temurin'
           java-version: 21
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # https://github.com/gradle/actions/tree/v6
         with:
           cache-read-only: false
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # https://github.com/pnpm/action-setup/tree/v5
         name: Install pnpm
         id: pnpm-install
         with:
@@ -39,7 +39,7 @@ jobs:
             echo 'EOF'
           } >> "$GITHUB_OUTPUT"
       - name: Set up Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # https://github.com/actions/setup-node/tree/v6
         with:
           node-version: 25
           cache: 'pnpm'
diff --git a/.github/workflows/update-toolchain-versions.yml b/.github/workflows/update-toolchain-versions.yml
@@ -19,10 +19,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # https://github.com/actions/checkout/tree/v6
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # https://github.com/actions/setup-node/tree/v6
         with:
           node-version: 25
 
@@ -32,7 +32,7 @@ jobs:
 
       - name: Create Pull Request
         if: ${{ steps.update-toolchain.outputs.changed == 'true' }}
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # https://github.com/peter-evans/create-pull-request/tree/v8
         with:
           token: ${{ secrets.PR_WORKFLOW_TOKEN || github.token }}
           commit-message: "chore: update node and pnpm versions"
