Pin GH Actions (#181)

Author: tmr232

.github/workflows/build.yaml

@@ -16,17 +16,17 @@ jobs:
     name: "Test"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4 # ratchet:exclude
         with:
           persist-credentials: false
 
       - if: ${{ github.event_name == 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
         with:
           no-cache: true
 
       - if: ${{ github.event_name != 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
 
 
       - run: bun install --frozen-lockfile
@@ -43,17 +43,17 @@ jobs:
     name: "Package"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4 # ratchet:exclude
         with:
           persist-credentials: false
 
       - if: ${{ github.event_name == 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
         with:
           no-cache: true
 
       - if: ${{ github.event_name != 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
 
       - run: bun install --frozen-lockfile
 
@@ -64,7 +64,7 @@ jobs:
       - name: Setup Environment
         run: node -e "console.log('PACKAGE_VERSION=' + require('./package.json').version + '\nPACKAGE_NAME=' + require('./package.json').name + '-' + require('./package.json').version)" >> $GITHUB_ENV
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v4 # ratchet:exclude
         with:
           name: ${{ env.PACKAGE_NAME }}.vsix
           path: ./${{ env.PACKAGE_NAME }}.vsix
@@ -79,22 +79,22 @@ jobs:
     name: "JetBrains"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4 # ratchet:exclude
         with:
           persist-credentials: false
 
       - if: ${{ github.event_name == 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
         with:
           no-cache: true
 
       - if: ${{ github.event_name != 'release' }}
-        uses: oven-sh/setup-bun@v2
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
 
       - run: bun install --frozen-lockfile
       - run: bun build-webview
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@v4 # ratchet:exclude
         with:
           name: "Jetbrains"
           path: "./dist/webview/"

.github/workflows/pages.yaml

@@ -11,10 +11,10 @@ jobs:
     name: "Build Demo site"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4 # ratchet:exclude
         with:
-            persist-credentials: false
-      - uses: oven-sh/setup-bun@v2
+          persist-credentials: false
+      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
         with:
           no-cache: true
 
@@ -29,18 +29,20 @@ jobs:
       - name: "Build docs"
         run: bun docs --out ./dist/demo/docs
 
-      - uses: actions/upload-pages-artifact@v3
+      - uses: actions/upload-pages-artifact@v3 # ratchet:exclude
         with:
           path: ./dist/demo
   deploy:
     if: github.ref == 'refs/heads/main'
     needs: build
     runs-on: ubuntu-latest
     # Grant GITHUB_TOKEN the permissions required to make a Pages deployment
+
     permissions:
       pages: write # to deploy to Pages
       id-token: write # to verify the deployment originates from an appropriate source
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+
+        uses: actions/deploy-pages@v4 # ratchet:exclude

.github/workflows/zizmor.yml renamed to .github/workflows/zizmor.yaml

@@ -12,25 +12,21 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4 # ratchet:exclude
         with:
           persist-credentials: false
-
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@v5
-
+        uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # ratchet:astral-sh/setup-uv@v5
+        with:
+          enable-cache: false
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # ratchet:github/codeql-action/upload-sarif@v3
         with:
           sarif_file: results.sarif
-          category: zizmor
+          category: zizmor