diff --git a/.github/workflows/ggshield-scan.yml b/.github/workflows/ggshield-scan.yml index d09e32b..be3269a 100644 --- a/.github/workflows/ggshield-scan.yml +++ b/.github/workflows/ggshield-scan.yml @@ -33,14 +33,14 @@ jobs: scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: # ggshield diffs the commit range; it needs full history, not a shallow # clone, to resolve the base of a push or PR. fetch-depth: 0 - name: ggshield secret scan - uses: GitGuardian/ggshield-action@v1 + uses: GitGuardian/ggshield-action@da20be06cafe5e8633dc24744efe1efe8d30f06b # v1 env: # ggshield-action reads these to compute the exact push/PR commit range # to scan (see GitGuardian's GitHub Actions docs). diff --git a/.github/workflows/kustomize-validate.yml b/.github/workflows/kustomize-validate.yml index cc1819c..343be37 100644 --- a/.github/workflows/kustomize-validate.yml +++ b/.github/workflows/kustomize-validate.yml @@ -40,9 +40,9 @@ jobs: # render with "unknown shorthand flag: 'c' in -c". HELM_VERSION: v3.21.1 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - uses: azure/setup-helm@v4 # `kustomize build --enable-helm` needs helm on PATH + - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4 # `kustomize build --enable-helm` needs helm on PATH with: version: ${{ env.HELM_VERSION }} diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 9d62075..5314cfd 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -16,7 +16,7 @@ jobs: env: LEFTHOOK_VERSION: 2.1.9 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: YAML-parse lefthook/base.yml (independent of lefthook) # Catches the unquoted-scalar class that broke every fresh `lefthook @@ -41,7 +41,7 @@ jobs: env: ACTIONLINT_VERSION: 1.7.12 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: install + run actionlint # Validates Actions workflow + expression syntax across this repo's # reusable workflows. shellcheck-of-run-blocks is off (the shared shell @@ -53,7 +53,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: shellcheck shared scripts # The scripts here run in every consumer (CI + Lefthook pre-push), so a # bug propagates everywhere — lint them at the root. shellcheck ships on