diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a893380..6305946 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: sudo unzip -o /tmp/protoc.zip -d /usr/local protoc --version - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned) - name: Rustfmt run: cargo fmt --all --check @@ -78,7 +78,7 @@ jobs: sudo unzip -o /tmp/protoc.zip -d /usr/local protoc --version - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned) - name: Check (MSRV 1.85) run: cargo check --workspace --all-targets @@ -100,7 +100,7 @@ jobs: sudo unzip -o /tmp/protoc.zip -d /usr/local protoc --version - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned) - name: Check buffa no_std (host) run: cargo check -p buffa --no-default-features @@ -132,7 +132,7 @@ jobs: sudo unzip -o /tmp/protoc.zip -d /usr/local protoc --version - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned) - name: Regenerate bootstrap descriptor types # Proto sources are vendored in buffa-descriptor/protos/ (pinned), @@ -176,15 +176,15 @@ jobs: - uses: dtolnay/rust-toolchain@stable - - uses: Swatinem/rust-cache@v2 + - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned) with: workspaces: conformance - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 (sha-pinned) - name: Build tools image (cached) - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 (sha-pinned) with: context: . file: conformance/Dockerfile.tools diff --git a/.github/workflows/cla.yaml b/.github/workflows/cla.yaml index 5309a0c..d7f1fd6 100644 --- a/.github/workflows/cla.yaml +++ b/.github/workflows/cla.yaml @@ -24,7 +24,7 @@ jobs: # co-author of at least one commit), Co-authored-by trailer support, # email-based allowlist matching, automatic retry of transient # GitHub 5xx errors, and actionable unlinked-email guidance. - uses: iainmcgin/cla-github-action@5b54183037a58ba5ade5ea9b3e1872d969730f77 + uses: iainmcgin/cla-github-action@5b54183037a58ba5ade5ea9b3e1872d969730f77 # master (sha-pinned) env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml index 587dbc2..6636aeb 100644 --- a/.github/workflows/publish-crates.yml +++ b/.github/workflows/publish-crates.yml @@ -47,7 +47,7 @@ jobs: - name: Authenticate (Trusted Publishing) id: auth if: ${{ !inputs.dry_run && env.CARGO_REGISTRY_TOKEN == '' }} - uses: rust-lang/crates-io-auth-action@v1 + uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 (sha-pinned) - name: Use Trusted Publishing token if: ${{ steps.auth.outputs.token != '' }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f4f8b96..6d7fd04 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -131,7 +131,7 @@ jobs: subject-path: artifacts/${{ env.BINARY_PREFIX }}-* - name: Install cosign - uses: sigstore/cosign-installer@v3 + uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 (sha-pinned) - name: Sign artifacts with cosign (keyless) working-directory: artifacts @@ -146,7 +146,7 @@ jobs: done - name: Create GitHub release - uses: softprops/action-gh-release@v2 + uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 (sha-pinned) with: generate_release_notes: true files: | diff --git a/.github/workflows/tools-image.yml b/.github/workflows/tools-image.yml index c74e91f..69a9af4 100644 --- a/.github/workflows/tools-image.yml +++ b/.github/workflows/tools-image.yml @@ -42,7 +42,7 @@ jobs: # Install QEMU for arm64 cross-compilation on the amd64 runner. # Only arm64 is needed — the runner already runs amd64 natively. - name: Set up QEMU - uses: docker/setup-qemu-action@v3 + uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 (sha-pinned) with: platforms: arm64 @@ -50,10 +50,10 @@ jobs: # The default `docker` driver doesn't support multi-platform or the gha # cache backend. - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 (sha-pinned) - name: Log in to GHCR - uses: docker/login-action@v3 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 (sha-pinned) with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} @@ -83,7 +83,7 @@ jobs: - name: Build and push id: build - uses: docker/build-push-action@v6 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 (sha-pinned) with: context: . file: conformance/Dockerfile.tools @@ -135,7 +135,7 @@ jobs: # cosign verify ghcr.io//buffa/tools:v33.5 \ # --certificate-identity-regexp "github.com//buffa/.github/workflows/tools-image.yml@" \ # --certificate-oidc-issuer https://token.actions.githubusercontent.com - - uses: sigstore/cosign-installer@v3 + - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 (sha-pinned) - name: Sign image env: IMAGE_DIGEST: ${{ env.IMAGE_BASE }}@${{ steps.build.outputs.digest }}