Pin GitHub Actions to commit SHA for security

bdukes · bdukes · commit c212fe5b9be5 · 2026-03-17T13:11:04.000-05:00
diff --git a/.github/workflows/browserslist-update-db.yml b/.github/workflows/browserslist-update-db.yml
@@ -1,31 +1,31 @@
-name: Update Browserslist database
+name: "Update Browserslist database"
 
 on:
   schedule:
-    - cron: '0 2 1,15 * *'
+    - cron: "0 2 1,15 * *"
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: "write"
+  pull-requests: "write"
 
 jobs:
   update-browserslist-database:
-    runs-on: ubuntu-latest
+    runs-on: "ubuntu-latest"
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v6
+      - name: "Checkout repository"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           fetch-depth: 0
-      - name: Configure git
+      - name: "Configure git"
         run: |
           # Setup for commiting using built-in token. See https://github.com/actions/checkout#push-a-commit-using-the-built-in-token
           git config user.name "github-actions[bot]"
-          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"         
-      - run: corepack enable
-      - name: Update Browserslist database and create PR if applies
-        uses: c2corg/browserslist-update-action@v2
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+      - run: "corepack enable"
+      - name: "Update Browserslist database and create PR if applies"
+        uses: "c2corg/browserslist-update-action@a76abb476199caea5399f9e28ff3f16e491ec566" # v2
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          branch: browserslist-update
-          base_branch: develop
-          labels: 'javascript, Type: Maintenance'
+          branch: "browserslist-update"
+          base_branch: "develop"
+          labels: "javascript, Type: Maintenance"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -69,14 +69,14 @@ jobs:
           "RUN_TESTS=${{ inputs.RUN_TESTS || env.RUN_TESTS }}" >> $env:GITHUB_ENV;
 
       - name: "Checkout"
-        uses: "actions/checkout@v6.0.2"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
         with:
           fetch-depth: 0 # include all history for GitVersion
 
       # Built-in caching is broken for Yarn, using setup-node twice
       # See https://github.com/actions/setup-node/issues/531#issuecomment-3335630863
       - name: "Setup Node.js"
-        uses: "actions/setup-node@v6.3.0"
+        uses: "actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f" # v6.3.0
         with:
           node-version-file: ".node-version"
           package-manager-cache: false
@@ -85,12 +85,12 @@ jobs:
         run: "corepack enable"
 
       - name: "Setup Yarn cache"
-        uses: "actions/setup-node@v6.3.0"
+        uses: "actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f" # v6.3.0
         with:
           cache: "yarn"
 
       - name: "Setup .NET SDK"
-        uses: "actions/setup-dotnet@v5.2.0"
+        uses: "actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7" # v5.2.0
         with:
           global-json-file: "global.json"
 
@@ -121,14 +121,14 @@ jobs:
         continue-on-error: true
 
       - name: "Publish Test Results"
-        uses: "EnricoMi/publish-unit-test-result-action/windows@v2.23.0"
+        uses: "EnricoMi/publish-unit-test-result-action/windows@c950f6fb443cb5af20a377fd0dfaa78838901040" # v2.23.0
         if: ${{ !cancelled() && env.RUN_TESTS == 'true' }}
         with:
           files: "**/TestResults/*.trx"
           action_fail: true
 
       - name: "Publish Artifacts"
-        uses: "actions/upload-artifact@v7.0.0"
+        uses: "actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f" # v7.0.0
         if: ${{ !cancelled() }}
         with:
           path: "Artifacts"
diff --git a/.github/workflows/image-actions.yml b/.github/workflows/image-actions.yml
@@ -1,4 +1,4 @@
-name: Compress images
+name: "Compress images"
 on:
   pull_request: # PRs with image (but we can't push changes back to other forks)
     paths:
@@ -19,25 +19,25 @@ jobs:
       github.repository == 'dnnsoftware/Dnn.Platform' &&
       (github.event_name != 'pull_request' ||
        github.event.pull_request.head.repo.full_name == github.repository)
-    name: calibreapp/image-actions
-    runs-on: ubuntu-latest
+    name: "calibreapp/image-actions"
+    runs-on: "ubuntu-latest"
     steps:
-      - name: Checkout Repo
-        uses: actions/checkout@v6
+      - name: "Checkout Repo"
+        uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
 
-      - name: Compress Images
-        id: compress_images
-        uses: calibreapp/image-actions@1.4.1
+      - name: "Compress Images"
+        id: "compress_images"
+        uses: "calibreapp/image-actions@f32575787d333b0579f0b7d506ff03be63a669d1" # 1.4.1
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           compressOnly: ${{ github.event_name != 'pull_request' }} # For non-Pull Requests, run in compressOnly mode and we'll PR after.
 
-      - name: Create Pull Request
+      - name: "Create Pull Request"
         if: | # If it's not a Pull Request then commit any changes as a new PR.
           github.event_name != 'pull_request' && steps.compress_images.outputs.markdown != ''
-        uses: peter-evans/create-pull-request@v8
+        uses: "peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0" # v8.1.0
         with:
-          title: Auto Compress Images
-          branch-suffix: timestamp
-          commit-message: Compress Images
+          title: "Auto Compress Images"
+          branch-suffix: "timestamp"
+          commit-message: "Compress Images"
           body: ${{ steps.compress_images.outputs.markdown }}
