Pin GH actions to SHA to avoid mutable refs (#3973)

2023-03-02 12:30:14 +01:00 · 2023-03-02 12:30:14 +01:00 · e98f628d34
parent b2ab61559c
commit e98f628d34
5 changed files with 14 additions and 28 deletions
--- a/.github/workflows/announce-release-on-discord.yml
+++ b/.github/workflows/announce-release-on-discord.yml
@ -2,7 +2,6 @@ name: Announce release on discord
 on:
  release:
    types: [published]
-
 jobs:
  send_announcement:
    runs-on: ubuntu-latest
@ -12,7 +11,7 @@ jobs:
          DISCORD_WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }}
          DISCORD_USERNAME: PlotSquared Release
          DISCORD_AVATAR: https://raw.githubusercontent.com/IntellectualSites/Assets/main/plugins/PlotSquared/PlotSquared.png
-        uses: Ilshidur/action-discord@0.3.2
+        uses: Ilshidur/action-discord@0c4b27844ba47cb1c7bee539c8eead5284ce9fa9 # ratchet:Ilshidur/action-discord@0.3.2
        with:
          args: |
            "<@&525015541815967744> <@&679322738552471574> <@&699293353862496266>"
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@ -1,19 +1,17 @@
 name: Build PR
-
-on: [ pull_request ]
-
+on: [pull_request]
 jobs:
  build_pr:
    if: github.repository_owner == 'IntellectualSites'
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ubuntu-latest, windows-latest, macos-latest]
    steps:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v1
+        uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1
      - name: Setup Java
        uses: actions/setup-java@v3
        with:
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -1,10 +1,8 @@
 name: build
-
 on:
  push:
    branches:
      - v6
-
 jobs:
  build:
    if: github.repository_owner == 'IntellectualSites'
@ -13,7 +11,7 @@ jobs:
      - name: Checkout Repository
        uses: actions/checkout@v3
      - name: Validate Gradle Wrapper
-        uses: gradle/wrapper-validation-action@v1
+        uses: gradle/wrapper-validation-action@55e685c48d84285a5b0418cd094606e199cca3b6 # v1
      - name: Setup Java
        uses: actions/setup-java@v3
        with:
@ -45,7 +43,7 @@ jobs:
          ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }}
      - name: Publish core javadoc
        if: ${{ runner.os == 'Linux' && env.STATUS == 'release' && github.event_name == 'push' && github.ref == 'refs/heads/v6'}}
-        uses: cpina/github-action-push-to-another-repository@main
+        uses: cpina/github-action-push-to-another-repository@0a14457bb28b04dfa1652e0ffdfda866d2845c73 # main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
        with:
@ -57,7 +55,7 @@ jobs:
          target-directory: core
      - name: Publish bukkit javadoc
        if: ${{ runner.os == 'Linux' && env.STATUS == 'release' && github.event_name == 'push' && github.ref == 'refs/heads/v6'}}
-        uses: cpina/github-action-push-to-another-repository@main
+        uses: cpina/github-action-push-to-another-repository@0a14457bb28b04dfa1652e0ffdfda866d2845c73 # main
        env:
          SSH_DEPLOY_KEY: ${{ secrets.SSH_DEPLOY_KEY }}
        with:
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -1,10 +1,8 @@
 name: "CodeQL"
-
 on:
  pull_request:
    # The branches below must be a subset of the branches above
-    branches: [ v6 ]
-
+    branches: [v6]
 jobs:
  analyze:
    name: Analyze
@ -13,23 +11,18 @@ jobs:
      actions: read
      contents: read
      security-events: write
-
    strategy:
      fail-fast: false
      matrix:
-        language: [ 'java' ]
-
+        language: ['java']
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
-
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
        with:
          languages: ${{ matrix.language }}
-
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v2
-
+        uses: github/codeql-action/autobuild@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v2
+        uses: github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 # v2
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@ -1,14 +1,12 @@
 name: draft release
-
 on:
  push:
    branches:
      - v6
  pull_request:
-    types: [ opened, reopened, synchronize ]
+    types: [opened, reopened, synchronize]
  pull_request_target:
-    types: [ opened, reopened, synchronize ]
-
+    types: [opened, reopened, synchronize]
 jobs:
  update_release_draft:
    if: ${{ github.event_name != 'pull_request' || github.repository != github.event.pull_request.head.repo.full_name }}