From 95da645ae5f3ee5b936b17ab701b189b87664c83 Mon Sep 17 00:00:00 2001 From: Phil Crockett Date: Sat, 13 Jun 2026 20:44:46 +0200 Subject: [PATCH] Update and pin GitHub actions (#211) Using `pinact run --update` Also: dependabot will continue functioning as usual, and it also knows how to update the version comments. --- .github/workflows/add-to-project.yml | 2 +- .github/workflows/checks.yml | 42 ++++++++++++++-------------- .github/workflows/docker.yml | 18 ++++++------ .github/workflows/helm-test.yml | 8 +++--- .github/workflows/publish-docs.yml | 6 ++-- .github/workflows/publish-helm.yml | 6 ++-- .github/workflows/rust-tests.yml | 8 +++--- .github/workflows/security.yml | 4 +-- 8 files changed, 47 insertions(+), 47 deletions(-) diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml index 9354e69..7e0764b 100644 --- a/.github/workflows/add-to-project.yml +++ b/.github/workflows/add-to-project.yml @@ -12,7 +12,7 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v2.0.0 + - uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0 with: project-url: https://github.com/orgs/GothenburgBitFactory/projects/4 github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index 917d6f5..db40495 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -13,31 +13,31 @@ jobs: name: "Check & Clippy" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Cache cargo registry - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo build - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: target key: ${{ runner.os }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 with: toolchain: "stable" override: true components: clippy - - uses: actions-rs/cargo@v1.0.3 + - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: check - - uses: actions-rs/clippy-check@v1 + - uses: actions-rs/clippy-check@b5b5f21f4797c02da247df37026fcd0a5024aa4d # v1.0.7 with: token: ${{ secrets.GITHUB_TOKEN }} args: --all-features --no-deps -- -D warnings @@ -48,46 +48,46 @@ jobs: name: "Rustdoc" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Cache cargo registry - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/registry key: ${{ runner.os }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 with: toolchain: nightly override: true minimal: true - name: taskchampion-sync-server - uses: actions-rs/cargo@v1.0.3 + uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: rustdoc args: -p taskchampion-sync-server --bin taskchampion-sync-server --all-features -- -Z unstable-options --check -Dwarnings - name: taskchampion-sync-server-postgres - uses: actions-rs/cargo@v1.0.3 + uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: rustdoc args: -p taskchampion-sync-server --bin taskchampion-sync-server-postgres --all-features -- -Z unstable-options --check -Dwarnings - name: taskchampion-sync-server-core - uses: actions-rs/cargo@v1.0.3 + uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: rustdoc args: -p taskchampion-sync-server-core --all-features -- -Z unstable-options --check -Dwarnings - name: taskchampion-sync-server-storage-sqlite - uses: actions-rs/cargo@v1.0.3 + uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: rustdoc args: -p taskchampion-sync-server-storage-sqlite --all-features -- -Z unstable-options --check -Dwarnings - name: taskchampion-sync-server-storage-postgres - uses: actions-rs/cargo@v1.0.3 + uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: rustdoc args: -p taskchampion-sync-server-storage-postgres --all-features -- -Z unstable-options --check -Dwarnings @@ -96,16 +96,16 @@ jobs: runs-on: ubuntu-latest name: "Formatting" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 with: profile: minimal components: rustfmt toolchain: stable override: true - - uses: actions-rs/cargo@v1.0.3 + - uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1 with: command: fmt args: --all -- --check @@ -114,8 +114,8 @@ jobs: runs-on: ubuntu-latest name: "Cargo Semver Checks" steps: - - uses: actions/checkout@v6 - - uses: obi1kenobi/cargo-semver-checks-action@v2 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: obi1kenobi/cargo-semver-checks-action@5b298c9520f7096a4683c0bd981a7ac5a7e249ae # v2.8 with: # exclude the binary package from semver checks, since it is not published as a crate. exclude: taskchampion-sync-server @@ -125,10 +125,10 @@ jobs: name: "mdBook Documentation" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup mdBook - uses: peaceiris/actions-mdbook@v2 + uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0 with: # if this changes, change it in .github/workflows/publish-docs.yml as well mdbook-version: '0.4.48' diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 50320aa..1775a03 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,18 +10,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Set up QEMU - uses: docker/setup-qemu-action@v4 + uses: docker/setup-qemu-action@06116385d9baf250c9f4dcb4858b16962ea869c3 # v4.1.0 - name: Login to ghcr.io - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: meta-sqlite - uses: docker/metadata-action@v6 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ghcr.io/gothenburgbitfactory/taskchampion-sync-server @@ -31,7 +31,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=match,pattern=\d.\d.\d,value=latest - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: file: "./Dockerfile-sqlite" platforms: linux/amd64,linux/arm64 @@ -42,16 +42,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Login to ghcr.io - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Docker meta id: meta-postgres - uses: docker/metadata-action@v6 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ghcr.io/gothenburgbitfactory/taskchampion-sync-server-postgres @@ -61,7 +61,7 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=match,pattern=\d.\d.\d,value=latest - name: Build and push - uses: docker/build-push-action@v7 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: file: "./Dockerfile-postgres" platforms: linux/amd64,linux/arm64 diff --git a/.github/workflows/helm-test.yml b/.github/workflows/helm-test.yml index 3b54c0f..5ad6508 100644 --- a/.github/workflows/helm-test.yml +++ b/.github/workflows/helm-test.yml @@ -16,10 +16,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: latest @@ -139,10 +139,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 with: version: latest diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 6baee36..89b845a 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -13,10 +13,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Setup mdBook - uses: peaceiris/actions-mdbook@v2 + uses: peaceiris/actions-mdbook@ee69d230fe19748b7abf22df32acaa93833fad08 # v2.0.0 with: # if this changes, change it in .github/workflows/checks.yml as well mdbook-version: '0.4.48' @@ -24,7 +24,7 @@ jobs: - run: mdbook build docs - name: Deploy - uses: peaceiris/actions-gh-pages@v4 + uses: peaceiris/actions-gh-pages@84c30a85c19949d7eee79c4ff27748b70285e453 # v4.1.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: ./docs/book diff --git a/.github/workflows/publish-helm.yml b/.github/workflows/publish-helm.yml index 403ef4c..39cc98b 100644 --- a/.github/workflows/publish-helm.yml +++ b/.github/workflows/publish-helm.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 @@ -25,10 +25,10 @@ jobs: git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - name: Install Helm - uses: azure/setup-helm@v5 + uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0 - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.7.0 + uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: diff --git a/.github/workflows/rust-tests.yml b/.github/workflows/rust-tests.yml index 7972a27..b5a7727 100644 --- a/.github/workflows/rust-tests.yml +++ b/.github/workflows/rust-tests.yml @@ -39,21 +39,21 @@ jobs: --health-retries 5 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - name: Cache cargo registry - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: ~/.cargo/registry key: ${{ runner.os }}-${{ matrix.rust }}-cargo-registry-${{ hashFiles('**/Cargo.lock') }} - name: Cache cargo build - uses: actions/cache@v5 + uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5 with: path: target key: ${{ runner.os }}-${{ matrix.rust }}-cargo-build-target-${{ hashFiles('**/Cargo.lock') }} - - uses: actions-rs/toolchain@v1 + - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6 with: toolchain: "${{ matrix.rust }}" override: true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index c3d3b9c..d5bf5d0 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -14,7 +14,7 @@ jobs: permissions: write-all name: "Audit Rust Dependencies" steps: - - uses: actions/checkout@v6 - - uses: rustsec/audit-check@v2.0.0 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: rustsec/audit-check@69366f33c96575abad1ee0dba8212993eecbe998 # v2.0.0 with: token: ${{ secrets.GITHUB_TOKEN }}