Pin GitHub actions

2026-05-08 05:17:27 +02:00 · 2026-05-07 10:30:37 -08:00
parent 0059d37db5
commit 9527b7879f
7 changed files with 53 additions and 53 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -25,8 +25,8 @@ jobs:
      docs: ${{ steps.filter.outputs.docs }}
      helm: ${{ steps.filter.outputs.helm }}
    steps:
-      - uses: actions/checkout@v6
-      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
        id: filter
        with:
          filters: |
@@ -55,8 +55,8 @@ jobs:
    name: Run prettier check
    runs-on: ubuntu-22.04
    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -72,8 +72,8 @@ jobs:
    needs: changes
    if: needs.changes.outputs.docs == 'true'
    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -89,7 +89,7 @@ jobs:
    needs: changes
    if: needs.changes.outputs.helm == 'true'
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -103,8 +103,8 @@ jobs:
    needs: changes
    if: needs.changes.outputs.code == 'true'
    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -121,7 +121,7 @@ jobs:
    if: needs.changes.outputs.ci == 'true'
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - name: Check workflow files
        run: |
          bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) 1.7.9
@@ -134,8 +134,8 @@ jobs:
    needs: changes
    if: needs.changes.outputs.code == 'true'
    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -144,7 +144,7 @@ jobs:
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run test:unit
-      - uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v5
+      - uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5
        if: success()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@@ -163,16 +163,16 @@ jobs:

    steps:
      - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # latest
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
        with:
          packages: quilt
          version: 1.0

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          submodules: true
      - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -191,7 +191,7 @@ jobs:
      # embedded into the code).  Use VSCODE_CACHE_VERSION to force a rebuild.
      - name: Fetch prebuilt linux-x64 Code package from cache
        id: cache-vscode
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: lib/vscode-reh-web-linux-x64
          key: vscode-linux-x64-package-${{ secrets.VSCODE_CACHE_VERSION }}-${{ steps.vscode-rev.outputs.rev }}-${{ hashFiles('patches/*.diff', 'ci/build/build-vscode.sh') }}
@@ -205,7 +205,7 @@ jobs:
      # Push up an artifact containing the linux-x64 release.
      - run: KEEP_MODULES=1 npm run release
      - run: tar -czf package.tar.gz release
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: linux-x64-package
          path: ./package.tar.gz
@@ -219,8 +219,8 @@ jobs:
    if: needs.changes.outputs.code == 'true' || needs.changes.outputs.deps == 'true' || needs.changes.outputs.ci == 'true'

    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -233,13 +233,13 @@ jobs:
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install

-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: linux-x64-package
      - run: tar -xzf package.tar.gz

      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        if: always()
        with:
          name: failed-test-videos
@@ -256,7 +256,7 @@ jobs:

    steps:
      - name: Cache Caddy
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        id: caddy-cache
        with:
          path: |
@@ -269,8 +269,8 @@ jobs:
          mkdir -p ~/.cache/caddy
          tar -xzf caddy_2.5.2_linux_amd64.tar.gz --directory ~/.cache/caddy

-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -283,7 +283,7 @@ jobs:
          ./test/node_modules/.bin/playwright install-deps
          ./test/node_modules/.bin/playwright install

-      - uses: actions/download-artifact@v8
+      - uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: linux-x64-package
      - run: tar -xzf package.tar.gz
@@ -292,7 +292,7 @@ jobs:
      - run: CODE_SERVER_TEST_ENTRY=./release npm run test:e2e:proxy
      - run: ~/.cache/caddy/caddy stop --config ./ci/Caddyfile
        if: always()
-      - uses: actions/upload-artifact@v7
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        if: always()
        with:
          name: failed-test-videos-proxy
--- a/.github/workflows/installer.yaml
+++ b/.github/workflows/installer.yaml
@@ -30,7 +30,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install code-server
        run: ./install.sh
@@ -44,7 +44,7 @@ jobs:
    container: "alpine:3.17"
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install curl
        run: apk add curl
@@ -67,7 +67,7 @@ jobs:

    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install code-server
        run: ./install.sh
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -33,8 +33,8 @@ jobs:
        run: |
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version

@@ -64,7 +64,7 @@ jobs:
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

      - name: Checkout code-server-aur repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          repository: "cdrci/code-server-aur"
          token: ${{ secrets.HOMEBREW_GITHUB_API_TOKEN }}
@@ -108,7 +108,7 @@ jobs:
        run: |
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
      - uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -54,7 +54,7 @@ jobs:

    steps:
      - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@acb598e5ddbc6f68a970c5da0688d2f3a9f04d05 # latest
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
        with:
          packages: quilt
          version: 1.0
@@ -68,11 +68,11 @@ jobs:
        run: |
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          submodules: true
      - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
@@ -148,11 +148,11 @@ jobs:
        run: |
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          submodules: true
      - run: quilt push -a
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version
          cache: npm
--- a/.github/workflows/scripts.yaml
+++ b/.github/workflows/scripts.yaml
@@ -41,7 +41,7 @@ jobs:
    container: "alpine:3.17"
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install test utilities
        run: apk add bats checkbashisms
@@ -58,7 +58,7 @@ jobs:
    timeout-minutes: 5
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Install lint utilities
        run: sudo apt install shellcheck
--- a/.github/workflows/security.yaml
+++ b/.github/workflows/security.yaml
@@ -25,12 +25,12 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0

      - name: Install Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version-file: .node-version

@@ -46,12 +46,12 @@ jobs:
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0

      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
        with:
          scan-type: "fs"
          scan-ref: "."
@@ -62,7 +62,7 @@ jobs:
          severity: "HIGH,CRITICAL"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
        with:
          sarif_file: "trivy-repo-results.sarif"

@@ -76,17 +76,17 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
        with:
          config-file: ./.github/codeql-config.yml
          languages: javascript

      - name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
--- a/.github/workflows/trivy-docker.yaml
+++ b/.github/workflows/trivy-docker.yaml
@@ -48,10 +48,10 @@ jobs:

    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

      - name: Run Trivy vulnerability scanner in image mode
-        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478
+        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # latest
        with:
          image-ref: "docker.io/codercom/code-server:latest"
          ignore-unfixed: true
@@ -60,6 +60,6 @@ jobs:
          severity: "HIGH,CRITICAL"

      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
        with:
          sarif_file: "trivy-image-results.sarif"