Pin GitHub Actions to commit SHAs

.github/workflows/ci.yml

@@ -34,7 +34,7 @@ jobs:
           sudo unzip -o /tmp/protoc.zip -d /usr/local
           protoc --version
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned)
 
       - name: Rustfmt
         run: cargo fmt --all --check
@@ -78,7 +78,7 @@ jobs:
           sudo unzip -o /tmp/protoc.zip -d /usr/local
           protoc --version
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned)
 
       - name: Check (MSRV 1.85)
         run: cargo check --workspace --all-targets
@@ -100,7 +100,7 @@ jobs:
           sudo unzip -o /tmp/protoc.zip -d /usr/local
           protoc --version
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned)
 
       - name: Check buffa no_std (host)
         run: cargo check -p buffa --no-default-features
@@ -132,7 +132,7 @@ jobs:
           sudo unzip -o /tmp/protoc.zip -d /usr/local
           protoc --version
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned)
 
       - name: Regenerate bootstrap descriptor types
         # Proto sources are vendored in buffa-descriptor/protos/ (pinned),
@@ -176,15 +176,15 @@ jobs:
 
       - uses: dtolnay/rust-toolchain@stable
 
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1 (sha-pinned)
         with:
           workspaces: conformance
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 (sha-pinned)
 
       - name: Build tools image (cached)
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 (sha-pinned)
         with:
           context: .
           file: conformance/Dockerfile.tools

.github/workflows/cla.yaml

@@ -24,7 +24,7 @@ jobs:
         # co-author of at least one commit), Co-authored-by trailer support,
         # email-based allowlist matching, automatic retry of transient
         # GitHub 5xx errors, and actionable unlinked-email guidance.
-        uses: iainmcgin/cla-github-action@5b54183037a58ba5ade5ea9b3e1872d969730f77
+        uses: iainmcgin/cla-github-action@5b54183037a58ba5ade5ea9b3e1872d969730f77 # master (sha-pinned)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/publish-crates.yml

@@ -47,7 +47,7 @@ jobs:
       - name: Authenticate (Trusted Publishing)
         id: auth
         if: ${{ !inputs.dry_run && env.CARGO_REGISTRY_TOKEN == '' }}
-        uses: rust-lang/crates-io-auth-action@v1
+        uses: rust-lang/crates-io-auth-action@bbd81622f20ce9e2dd9622e3218b975523e45bbe # v1.0.4 (sha-pinned)
 
       - name: Use Trusted Publishing token
         if: ${{ steps.auth.outputs.token != '' }}

.github/workflows/release.yml

@@ -131,7 +131,7 @@ jobs:
           subject-path: artifacts/${{ env.BINARY_PREFIX }}-*
 
       - name: Install cosign
-        uses: sigstore/cosign-installer@v3
+        uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 (sha-pinned)
 
       - name: Sign artifacts with cosign (keyless)
         working-directory: artifacts
@@ -146,7 +146,7 @@ jobs:
           done
 
       - name: Create GitHub release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2 (sha-pinned)
         with:
           generate_release_notes: true
           files: |

.github/workflows/tools-image.yml

@@ -42,18 +42,18 @@ jobs:
       # Install QEMU for arm64 cross-compilation on the amd64 runner.
       # Only arm64 is needed — the runner already runs amd64 natively.
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 (sha-pinned)
         with:
           platforms: arm64
 
       # Create a multi-platform buildx builder backed by the container driver.
       # The default `docker` driver doesn't support multi-platform or the gha
       # cache backend.
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 (sha-pinned)
 
       - name: Log in to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 (sha-pinned)
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -83,7 +83,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 (sha-pinned)
         with:
           context: .
           file: conformance/Dockerfile.tools
@@ -135,7 +135,7 @@ jobs:
       #   cosign verify ghcr.io/<owner>/buffa/tools:v33.5 \
       #     --certificate-identity-regexp "github.com/<owner>/buffa/.github/workflows/tools-image.yml@" \
       #     --certificate-oidc-issuer https://token.actions.githubusercontent.com
-      - uses: sigstore/cosign-installer@v3
+      - uses: sigstore/cosign-installer@7e8b541eb2e61bf99390e1afd4be13a184e9ebc5 # v3.10.1 (sha-pinned)
       - name: Sign image
         env:
           IMAGE_DIGEST: ${{ env.IMAGE_BASE }}@${{ steps.build.outputs.digest }}