Skip to content

Commit 149c414

Browse files
authored
Pin GH Actions (#181)
1 parent ed04e89 commit 149c414

File tree

3 files changed

+24
-26
lines changed

3 files changed

+24
-26
lines changed

.github/workflows/build.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -16,17 +16,17 @@ jobs:
1616
name: "Test"
1717
runs-on: ubuntu-latest
1818
steps:
19-
- uses: actions/checkout@v4
19+
- uses: actions/checkout@v4 # ratchet:exclude
2020
with:
2121
persist-credentials: false
2222

2323
- if: ${{ github.event_name == 'release' }}
24-
uses: oven-sh/setup-bun@v2
24+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
2525
with:
2626
no-cache: true
2727

2828
- if: ${{ github.event_name != 'release' }}
29-
uses: oven-sh/setup-bun@v2
29+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
3030

3131

3232
- run: bun install --frozen-lockfile
@@ -43,17 +43,17 @@ jobs:
4343
name: "Package"
4444
runs-on: ubuntu-latest
4545
steps:
46-
- uses: actions/checkout@v4
46+
- uses: actions/checkout@v4 # ratchet:exclude
4747
with:
4848
persist-credentials: false
4949

5050
- if: ${{ github.event_name == 'release' }}
51-
uses: oven-sh/setup-bun@v2
51+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
5252
with:
5353
no-cache: true
5454

5555
- if: ${{ github.event_name != 'release' }}
56-
uses: oven-sh/setup-bun@v2
56+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
5757

5858
- run: bun install --frozen-lockfile
5959

@@ -64,7 +64,7 @@ jobs:
6464
- name: Setup Environment
6565
run: node -e "console.log('PACKAGE_VERSION=' + require('./package.json').version + '\nPACKAGE_NAME=' + require('./package.json').name + '-' + require('./package.json').version)" >> $GITHUB_ENV
6666

67-
- uses: actions/upload-artifact@v4
67+
- uses: actions/upload-artifact@v4 # ratchet:exclude
6868
with:
6969
name: ${{ env.PACKAGE_NAME }}.vsix
7070
path: ./${{ env.PACKAGE_NAME }}.vsix
@@ -79,22 +79,22 @@ jobs:
7979
name: "JetBrains"
8080
runs-on: ubuntu-latest
8181
steps:
82-
- uses: actions/checkout@v4
82+
- uses: actions/checkout@v4 # ratchet:exclude
8383
with:
8484
persist-credentials: false
8585

8686
- if: ${{ github.event_name == 'release' }}
87-
uses: oven-sh/setup-bun@v2
87+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
8888
with:
8989
no-cache: true
9090

9191
- if: ${{ github.event_name != 'release' }}
92-
uses: oven-sh/setup-bun@v2
92+
uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
9393

9494
- run: bun install --frozen-lockfile
9595
- run: bun build-webview
9696

97-
- uses: actions/upload-artifact@v4
97+
- uses: actions/upload-artifact@v4 # ratchet:exclude
9898
with:
9999
name: "Jetbrains"
100100
path: "./dist/webview/"

.github/workflows/pages.yaml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,10 @@ jobs:
1111
name: "Build Demo site"
1212
runs-on: ubuntu-latest
1313
steps:
14-
- uses: actions/checkout@v4
14+
- uses: actions/checkout@v4 # ratchet:exclude
1515
with:
16-
persist-credentials: false
17-
- uses: oven-sh/setup-bun@v2
16+
persist-credentials: false
17+
- uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # ratchet:oven-sh/setup-bun@v2
1818
with:
1919
no-cache: true
2020

@@ -29,18 +29,20 @@ jobs:
2929
- name: "Build docs"
3030
run: bun docs --out ./dist/demo/docs
3131

32-
- uses: actions/upload-pages-artifact@v3
32+
- uses: actions/upload-pages-artifact@v3 # ratchet:exclude
3333
with:
3434
path: ./dist/demo
3535
deploy:
3636
if: github.ref == 'refs/heads/main'
3737
needs: build
3838
runs-on: ubuntu-latest
3939
# Grant GITHUB_TOKEN the permissions required to make a Pages deployment
40+
4041
permissions:
4142
pages: write # to deploy to Pages
4243
id-token: write # to verify the deployment originates from an appropriate source
4344
steps:
4445
- name: Deploy to GitHub Pages
4546
id: deployment
46-
uses: actions/deploy-pages@v4
47+
48+
uses: actions/deploy-pages@v4 # ratchet:exclude

.github/workflows/zizmor.yml renamed to .github/workflows/zizmor.yaml

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,25 +12,21 @@ jobs:
1212
runs-on: ubuntu-latest
1313
permissions:
1414
security-events: write
15-
# required for workflows in private repositories
16-
contents: read
17-
actions: read
1815
steps:
1916
- name: Checkout repository
20-
uses: actions/checkout@v4
17+
uses: actions/checkout@v4 # ratchet:exclude
2118
with:
2219
persist-credentials: false
23-
2420
- name: Install the latest version of uv
25-
uses: astral-sh/setup-uv@v5
26-
21+
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # ratchet:astral-sh/setup-uv@v5
22+
with:
23+
enable-cache: false
2724
- name: Run zizmor 🌈
2825
run: uvx zizmor --format sarif . > results.sarif
2926
env:
3027
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
31-
3228
- name: Upload SARIF file
33-
uses: github/codeql-action/upload-sarif@v3
29+
uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # ratchet:github/codeql-action/upload-sarif@v3
3430
with:
3531
sarif_file: results.sarif
36-
category: zizmor
32+
category: zizmor

0 commit comments

Comments
 (0)