Skip to content

Commit a8c5f38

Browse files
BYKBYK
committed
fix: Pin actions to SHA and add permissions blocks
1 parent f101fbf commit a8c5f38

13 files changed

+59
-39
lines changed

.github/workflows/auto-release.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,23 +11,27 @@ on:
1111
merge_target:
1212
description: Target branch to merge into
1313
required: false
14+
permissions:
15+
contents: write
16+
pull-requests: write
17+
1418
jobs:
1519
release:
1620
runs-on: ubuntu-latest
1721
name: Release a new version
1822
steps:
1923
- name: Get auth token
2024
id: token
21-
uses: actions/create-github-app-token@v1
25+
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v2
2226
with:
2327
app-id: ${{ vars.SENTRY_RELEASE_BOT_CLIENT_ID }}
2428
private-key: ${{ secrets.SENTRY_RELEASE_BOT_PRIVATE_KEY }}
25-
- uses: actions/checkout@v4
29+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
2630
with:
2731
token: ${{ steps.token.outputs.token }}
2832
fetch-depth: 0
2933
- name: Prepare release
30-
uses: getsentry/craft@v2
34+
uses: getsentry/craft@39ee616a6a58dc64797feecb145d66770492b66c # v2
3135
env:
3236
GITHUB_TOKEN: ${{ steps.token.outputs.token }}
3337
with:

.github/workflows/build.yml

Lines changed: 25 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -71,7 +71,7 @@ jobs:
7171
pull-requests: read
7272
steps:
7373
- name: Check out current commit
74-
uses: actions/checkout@v6
74+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
7575
with:
7676
ref: ${{ env.HEAD_COMMIT }}
7777
# We need to check out not only the fake merge commit between the PR and the base branch which GH creates, but
@@ -131,13 +131,13 @@ jobs:
131131
(needs.job_get_metadata.outputs.is_gitflow_sync == 'false' && needs.job_get_metadata.outputs.has_gitflow_label == 'false' && needs.job_get_metadata.outputs.changed_any_code == 'true')
132132
steps:
133133
- name: Check out base commit (${{ github.event.pull_request.base.sha }})
134-
uses: actions/checkout@v6
134+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
135135
if: github.event_name == 'pull_request'
136136
with:
137137
ref: ${{ github.event.pull_request.base.sha }}
138138

139139
- name: 'Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})'
140-
uses: actions/checkout@v6
140+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
141141
with:
142142
ref: ${{ env.HEAD_COMMIT }}
143143

@@ -238,7 +238,7 @@ jobs:
238238
needs.job_get_metadata.outputs.is_release == 'true'
239239
steps:
240240
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
241-
uses: actions/checkout@v6
241+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
242242
with:
243243
ref: ${{ env.HEAD_COMMIT }}
244244
- name: Set up Node
@@ -267,7 +267,7 @@ jobs:
267267
needs.job_get_metadata.outputs.is_base_branch == 'true' || needs.job_get_metadata.outputs.is_release == 'true'
268268
steps:
269269
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
270-
uses: actions/checkout@v6
270+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
271271
with:
272272
ref: ${{ env.HEAD_COMMIT }}
273273
- name: Set up Node
@@ -296,7 +296,7 @@ jobs:
296296
runs-on: ubuntu-24.04
297297
steps:
298298
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
299-
uses: actions/checkout@v6
299+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
300300
with:
301301
ref: ${{ env.HEAD_COMMIT }}
302302
- name: Set up Node
@@ -325,7 +325,7 @@ jobs:
325325
runs-on: ubuntu-24.04
326326
steps:
327327
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
328-
uses: actions/checkout@v6
328+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
329329
with:
330330
ref: ${{ env.HEAD_COMMIT }}
331331

@@ -348,7 +348,7 @@ jobs:
348348
runs-on: ubuntu-24.04
349349
steps:
350350
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
351-
uses: actions/checkout@v6
351+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
352352
with:
353353
ref: ${{ env.HEAD_COMMIT }}
354354
- name: Set up Node
@@ -370,7 +370,7 @@ jobs:
370370
if: needs.job_get_metadata.outputs.is_release == 'true'
371371
steps:
372372
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
373-
uses: actions/checkout@v6
373+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
374374
with:
375375
ref: ${{ env.HEAD_COMMIT }}
376376
- name: Set up Node
@@ -405,13 +405,13 @@ jobs:
405405
runs-on: ubuntu-24.04
406406
steps:
407407
- name: Check out base commit (${{ github.event.pull_request.base.sha }})
408-
uses: actions/checkout@v6
408+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
409409
if: github.event_name == 'pull_request'
410410
with:
411411
ref: ${{ github.event.pull_request.base.sha }}
412412

413413
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
414-
uses: actions/checkout@v6
414+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
415415
with:
416416
ref: ${{ env.HEAD_COMMIT }}
417417
- name: Set up Node
@@ -452,7 +452,7 @@ jobs:
452452
runs-on: ubuntu-24.04
453453
steps:
454454
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
455-
uses: actions/checkout@v6
455+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
456456
with:
457457
ref: ${{ env.HEAD_COMMIT }}
458458
- name: Set up Node
@@ -477,7 +477,7 @@ jobs:
477477
runs-on: ubuntu-24.04
478478
steps:
479479
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
480-
uses: actions/checkout@v6
480+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
481481
with:
482482
ref: ${{ env.HEAD_COMMIT }}
483483
- name: Set up Node
@@ -509,12 +509,12 @@ jobs:
509509
node: [18, 20, 22, 24]
510510
steps:
511511
- name: Check out base commit (${{ github.event.pull_request.base.sha }})
512-
uses: actions/checkout@v6
512+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
513513
if: github.event_name == 'pull_request'
514514
with:
515515
ref: ${{ github.event.pull_request.base.sha }}
516516
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
517-
uses: actions/checkout@v6
517+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
518518
with:
519519
ref: ${{ env.HEAD_COMMIT }}
520520
- name: Set up Node
@@ -603,7 +603,7 @@ jobs:
603603

604604
steps:
605605
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
606-
uses: actions/checkout@v6
606+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
607607
with:
608608
ref: ${{ env.HEAD_COMMIT }}
609609
- name: Set up Node
@@ -667,7 +667,7 @@ jobs:
667667

668668
steps:
669669
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
670-
uses: actions/checkout@v6
670+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
671671
with:
672672
ref: ${{ env.HEAD_COMMIT }}
673673
- name: Set up Node
@@ -715,7 +715,7 @@ jobs:
715715
timeout-minutes: 5
716716
steps:
717717
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
718-
uses: actions/checkout@v6
718+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
719719
with:
720720
ref: ${{ env.HEAD_COMMIT }}
721721
- name: Set up Node
@@ -753,7 +753,7 @@ jobs:
753753
typescript: '3.8'
754754
steps:
755755
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
756-
uses: actions/checkout@v6
756+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
757757
with:
758758
ref: ${{ env.HEAD_COMMIT }}
759759
- name: Set up Node
@@ -789,7 +789,7 @@ jobs:
789789
timeout-minutes: 15
790790
steps:
791791
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
792-
uses: actions/checkout@v6
792+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
793793
with:
794794
ref: ${{ env.HEAD_COMMIT }}
795795
- name: Set up Node
@@ -817,7 +817,7 @@ jobs:
817817
node: [18, 20, 22, 24]
818818
steps:
819819
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
820-
uses: actions/checkout@v6
820+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
821821
with:
822822
ref: ${{ env.HEAD_COMMIT }}
823823
- name: Set up Node
@@ -864,12 +864,12 @@ jobs:
864864
matrix-optional: ${{ steps.matrix-optional.outputs.matrix }}
865865
steps:
866866
- name: Check out base commit (${{ github.event.pull_request.base.sha }})
867-
uses: actions/checkout@v6
867+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
868868
if: github.event_name == 'pull_request'
869869
with:
870870
ref: ${{ github.event.pull_request.base.sha }}
871871
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
872-
uses: actions/checkout@v6
872+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
873873
with:
874874
ref: ${{ env.HEAD_COMMIT }}
875875
- name: Set up Node
@@ -934,7 +934,7 @@ jobs:
934934
matrix: ${{ fromJson(needs.job_e2e_prepare.outputs.matrix) }}
935935
steps:
936936
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
937-
uses: actions/checkout@v6
937+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
938938
with:
939939
ref: ${{ env.HEAD_COMMIT }}
940940
- uses: pnpm/action-setup@v4
@@ -1068,7 +1068,7 @@ jobs:
10681068

10691069
steps:
10701070
- name: Check out current commit (${{ needs.job_get_metadata.outputs.commit_label }})
1071-
uses: actions/checkout@v6
1071+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
10721072
with:
10731073
ref: ${{ env.HEAD_COMMIT }}
10741074
- uses: pnpm/action-setup@v4

.github/workflows/canary.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,7 @@ jobs:
3131
timeout-minutes: 30
3232
steps:
3333
- name: Check out current commit
34-
uses: actions/checkout@v6
34+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
3535
with:
3636
ref: ${{ env.HEAD_COMMIT }}
3737
- name: Set up Node
@@ -123,7 +123,7 @@ jobs:
123123

124124
steps:
125125
- name: Check out current commit
126-
uses: actions/checkout@v6
126+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
127127
with:
128128
ref: ${{ env.HEAD_COMMIT }}
129129
- uses: pnpm/action-setup@v4

.github/workflows/changelog-preview.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,10 @@ on:
77
- reopened
88
- edited
99
- labeled
10+
permissions:
11+
contents: write
12+
pull-requests: write
13+
1014
jobs:
1115
changelog-preview:
1216
uses: getsentry/craft/.github/workflows/changelog-preview.yml@v2

.github/workflows/cleanup-pr-caches.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
contents: read
1515
steps:
1616
- name: Check out code
17-
uses: actions/checkout@v6
17+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
1818

1919
- name: Cleanup
2020
run: |

.github/workflows/clear-cache.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
name: Delete all caches
2424
runs-on: ubuntu-24.04
2525
steps:
26-
- uses: actions/checkout@v6
26+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
2727

2828
- name: Set up Node
2929
uses: actions/setup-node@v6

.github/workflows/codeql-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646

4747
steps:
4848
- name: Checkout repository
49-
uses: actions/checkout@v6
49+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
5050

5151
# Initializes the CodeQL tools for scanning.
5252
- name: Initialize CodeQL

.github/workflows/external-contributors.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ jobs:
2020
&& github.event.pull_request.author_association != 'OWNER'
2121
&& endsWith(github.event.pull_request.user.login, '[bot]') == false
2222
steps:
23-
- uses: actions/checkout@v6
23+
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
2424
- name: Set up Node
2525
uses: actions/setup-node@v6
2626
with:

.github/workflows/flaky-test-detector.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,7 +30,7 @@ jobs:
3030
if: ${{ github.base_ref != 'master' && github.ref != 'refs/heads/master' }}
3131
steps:
3232
- name: Check out current branch
33-
uses: actions/checkout@v6
33+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
3434
- name: Set up Node
3535
uses: actions/setup-node@v6
3636
with:

.github/workflows/gitflow-sync-develop.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,7 @@ jobs:
2323
contents: write
2424
steps:
2525
- name: git checkout
26-
uses: actions/checkout@v6
26+
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v2
2727

2828
# https://github.com/marketplace/actions/github-pull-request-action
2929
- name: Create Pull Request

0 commit comments

Comments
 (0)