From 0a1ee45aa39313eca5f51f95cf8629b9a2f1162a Mon Sep 17 00:00:00 2001 From: Etienne Stalmans Date: Fri, 27 Mar 2026 12:34:48 +0100 Subject: [PATCH] chore: pin actions to sha --- .github/workflows/cli.yaml | 2 +- .github/workflows/pgTAP.yaml | 4 ++-- .github/workflows/pre-commit_hooks.yaml | 4 ++-- .github/workflows/prettier.yaml | 4 ++-- .github/workflows/release-cli.yaml | 26 ++++++++++----------- .github/workflows/release-homebrew-tap.yaml | 10 ++++---- .github/workflows/release-scoop-bucket.yaml | 6 ++--- .github/workflows/website-tests.yaml | 8 +++---- 8 files changed, 32 insertions(+), 32 deletions(-) diff --git a/.github/workflows/cli.yaml b/.github/workflows/cli.yaml index 738d88e9..4f5f7eda 100644 --- a/.github/workflows/cli.yaml +++ b/.github/workflows/cli.yaml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build run: cargo build --release --verbose working-directory: ./cli diff --git a/.github/workflows/pgTAP.yaml b/.github/workflows/pgTAP.yaml index 0d8cd79c..58e3cace 100644 --- a/.github/workflows/pgTAP.yaml +++ b/.github/workflows/pgTAP.yaml @@ -10,8 +10,8 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 - - uses: supabase/setup-cli@v1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: supabase/setup-cli@b60b5899c73b63a2d2d651b1e90db8d4c9392f51 # v1.6.0 with: version: 2.75.0 - name: Supabase Start diff --git a/.github/workflows/pre-commit_hooks.yaml b/.github/workflows/pre-commit_hooks.yaml index 18f7830b..a99b749f 100644 --- a/.github/workflows/pre-commit_hooks.yaml +++ b/.github/workflows/pre-commit_hooks.yaml @@ -11,10 +11,10 @@ jobs: steps: - name: checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: set up python 3.10 - uses: actions/setup-python@v6 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.10" diff --git a/.github/workflows/prettier.yaml b/.github/workflows/prettier.yaml index 08c1eaa1..3a4f781c 100644 --- a/.github/workflows/prettier.yaml +++ b/.github/workflows/prettier.yaml @@ -13,9 +13,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out repo - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Prettier - uses: creyD/prettier_action@v4.6 + uses: creyD/prettier_action@8c18391fdc98ed0d884c6345f03975edac71b8f0 # v4.6 with: # Prettier CLI arguments prettier_options: '--config ./website/.prettierrc --ignore-path ./website/.prettierignore --check ./website' diff --git a/.github/workflows/release-cli.yaml b/.github/workflows/release-cli.yaml index 4da5613e..2ba60aa2 100644 --- a/.github/workflows/release-cli.yaml +++ b/.github/workflows/release-cli.yaml @@ -14,9 +14,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Read CLI version - uses: SebRollen/toml-action@v1.2.0 + uses: SebRollen/toml-action@b1b3628f55fc3a28208d4203ada8b737e9687876 # v1.2.0 id: read_cli_version with: file: './cli/Cargo.toml' @@ -29,7 +29,7 @@ jobs: exit 1 - name: Create Release id: create_release - uses: actions/create-release@v1 + uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -60,12 +60,12 @@ jobs: sudo apt-get install -y --no-install-recommends curl build-essential libssl-dev pkg-config - name: Install Rust Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal toolchain: stable - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Package run: | cd cli @@ -97,7 +97,7 @@ jobs: sudo dpkg-deb --build "${package_dir}" - name: Upload gzip Package - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -108,7 +108,7 @@ jobs: asset_content_type: application/gzip - name: Upload Debian Package - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -126,12 +126,12 @@ jobs: timeout-minutes: 45 steps: - name: Install Rust Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal toolchain: stable - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Package run: | cd cli @@ -139,7 +139,7 @@ jobs: cd ./target/release && tar -czvf dbdev.tar.gz ./dbdev - name: Upload Release Asset - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -157,12 +157,12 @@ jobs: timeout-minutes: 45 steps: - name: Install Rust Toolchain - uses: actions-rs/toolchain@v1 + uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af # v1.0.7 with: profile: minimal toolchain: stable - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Build and Package run: | cd cli @@ -170,7 +170,7 @@ jobs: cd ./target/release && Compress-Archive -Path ./dbdev.exe -Destination dbdev.zip - name: Upload Release Asset - uses: actions/upload-release-asset@v1 + uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2 env: UPLOAD_URL: ${{ needs.create-release.outputs.upload_url }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release-homebrew-tap.yaml b/.github/workflows/release-homebrew-tap.yaml index 43883294..861671a2 100644 --- a/.github/workflows/release-homebrew-tap.yaml +++ b/.github/workflows/release-homebrew-tap.yaml @@ -17,7 +17,7 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: supabase/homebrew-tap ref: "main" @@ -31,21 +31,21 @@ jobs: # strip the leading v (if present) echo "version=${tag#v}" >> "$GITHUB_OUTPUT" - name: Download Linux AMD64 package - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1 with: repository: "supabase/dbdev" tag: ${{ inputs.tag }} fileName: "dbdev-${{ inputs.tag }}-linux-amd64.tar.gz" - name: Download Linux ARM64 package - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1 with: repository: "supabase/dbdev" tag: ${{ inputs.tag }} fileName: "dbdev-${{ inputs.tag }}-linux-arm64.tar.gz" - name: Download macOS ARM64 package - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1 with: repository: "supabase/dbdev" tag: ${{ inputs.tag }} @@ -113,7 +113,7 @@ jobs: echo "It was auto-generated by the dbdev release workflow." >> PR_BODY.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v8.1.0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.homebrew_tap_rw }} commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}" diff --git a/.github/workflows/release-scoop-bucket.yaml b/.github/workflows/release-scoop-bucket.yaml index 9c26353a..d8a21539 100644 --- a/.github/workflows/release-scoop-bucket.yaml +++ b/.github/workflows/release-scoop-bucket.yaml @@ -17,7 +17,7 @@ jobs: release: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6.0.2 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: repository: supabase/scoop-bucket ref: "main" @@ -33,7 +33,7 @@ jobs: echo "version=${tag#v}" >> "$GITHUB_OUTPUT" - name: Download Windows AMD64 package - uses: robinraju/release-downloader@v1.12 + uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1 with: repository: "supabase/dbdev" tag: ${{ inputs.tag }} @@ -69,7 +69,7 @@ jobs: echo "It was auto-generated by the dbdev release workflow." >> PR_BODY.md - name: Create Pull Request - uses: peter-evans/create-pull-request@v8.1.0 + uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: token: ${{ secrets.scoop_bucket_rw }} commit-message: "Release dbdev version v${{ steps.vars.outputs.version }}" diff --git a/.github/workflows/website-tests.yaml b/.github/workflows/website-tests.yaml index 2b64aa60..0aff0570 100644 --- a/.github/workflows/website-tests.yaml +++ b/.github/workflows/website-tests.yaml @@ -22,15 +22,15 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Setup pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 with: version: latest - name: Setup Node.js - uses: actions/setup-node@v6 + uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 with: node-version: "24" cache: "pnpm" @@ -43,7 +43,7 @@ jobs: run: pnpm run test:coverage - name: Upload coverage to Coveralls - uses: coverallsapp/github-action@v2 + uses: coverallsapp/github-action@5cbfd81b66ca5d10c19b062c04de0199c215fb6e # v2.3.7 with: file: website/coverage/lcov.info flag-name: frontend