use sha-versions for most gh actions

PiperOrigin-RevId: 564692809
google · Sep 12, 2023 · 63402aa · 63402aa
1 parent 91d1b2d
commit 63402aa
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 16 deletions.
diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
@@ -233,14 +233,14 @@ jobs:
         sudo apt install -y ${EXTRA_PACKAGES}
 
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1
 
     #- name: Checkout VC9 for Python
     #  if: ${{ runner.os == 'Windows' && matrix.build_system == 'python' &&  matrix.python_version == '2.7' }}
-    #  uses: actions/checkout@v4
+    #  uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
     #  with:
     #    repository: reider-roque/sulley-win-installer
     #    path: third_party/VCForPython27
@@ -338,7 +338,7 @@ jobs:
         cd integration
         mvn -B verify
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
       if: ${{ matrix.build_system == 'python' }}
       with:
         python-version: ${{ matrix.python_version }}
@@ -367,7 +367,7 @@ jobs:
     steps:
 
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -31,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
       with:
         languages: ${{ matrix.language }}
         # CodeQL is currently crashing on files with large lists:
@@ -47,7 +47,7 @@ jobs:
 
     - if: matrix.language == 'cpp'
       name: Build CPP
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
 
     - if: matrix.language == 'cpp' || matrix.language == 'java'
       name: Build Java
@@ -57,15 +57,15 @@ jobs:
 
     - if: matrix.language == 'javascript'
       name: Build JS
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
 
     - if: matrix.language == 'cpp' || matrix.language == 'python'
       name: Build Python
       run: |
         python setup.py build_ext
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
       with:
         category: "/language:${{matrix.language}}"
         ref: "${{ github.ref != 'master' && github.ref || '/refs/heads/master' }}"

diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
@@ -28,7 +28,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       if: failure()
       with:
         name: artifacts

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -13,6 +13,8 @@ on:
       - v*.*.*
   release:
     types: [ published ]
+  pull_request:
+    types: [opened, reopened, labeled, synchronize]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
@@ -46,12 +48,12 @@ jobs:
 
     steps:
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1
 
-    - uses: actions/cache@v3
+    - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       id: cache-vcpkg
       with:
         path: vcpkg
@@ -100,22 +102,21 @@ jobs:
         cmake --build out --config Release --target install
         cp LICENSE prefix/bin/LICENSE.brotli
     - name: Upload artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: brotli-${{matrix.triplet}}
         path: |
           prefix/bin/*
 
     - name: Package release zip
-      if: github.event_name == 'release'
       shell: 'powershell'
       run: |
         Compress-Archive -Path prefix\bin\* `
           -DestinationPath brotli-${{matrix.triplet}}.zip
 
     - name: Upload binaries to release
       if: github.event_name == 'release'
-      uses: AButler/[email protected]
+      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
       with:
         files: brotli-${{matrix.triplet}}.zip
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        tag_name: dev/null