diff --git a/.github/workflows/casket-pages.yml b/.github/workflows/casket-pages.yml index b2f6c16..9e28742 100644 --- a/.github/workflows/casket-pages.yml +++ b/.github/workflows/casket-pages.yml @@ -20,10 +20,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Checkout casket-ssg - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: repository: hyperpolymath/casket-ssg path: .casket-ssg diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1ee9ba8..b231c03 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Set up Ruby uses: ruby/setup-ruby@v1 @@ -74,7 +74,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Set up Ruby uses: ruby/setup-ruby@v1 @@ -101,7 +101,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Set up Ruby uses: ruby/setup-ruby@v1 @@ -131,7 +131,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Dependency Review uses: actions/dependency-review-action@v4 @@ -143,7 +143,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Initialize CodeQL uses: github/codeql-action/init@v4.31.9 @@ -162,7 +162,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Set up Ruby uses: ruby/setup-ruby@v1 @@ -245,7 +245,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Set up Podman run: | diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 8b124e9..3c98496 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,7 +26,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Initialize CodeQL uses: github/codeql-action/init@662472033e021d55d94146f66f6058822b0b39fd # v3.28.1 diff --git a/.github/workflows/gleam-ci.yml b/.github/workflows/gleam-ci.yml index bf825cc..1683e0e 100644 --- a/.github/workflows/gleam-ci.yml +++ b/.github/workflows/gleam-ci.yml @@ -23,7 +23,7 @@ jobs: working-directory: backend steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.1 - name: Setup Erlang/OTP and Gleam uses: erlef/setup-beam@v1 @@ -60,7 +60,7 @@ jobs: if: github.event_name == 'push' && github.ref == 'refs/heads/main' steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.1 - name: Build Docker image run: | diff --git a/.github/workflows/guix-nix-policy.yml b/.github/workflows/guix-nix-policy.yml index 442b769..9aa47e2 100644 --- a/.github/workflows/guix-nix-policy.yml +++ b/.github/workflows/guix-nix-policy.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Enforce Guix primary / Nix fallback run: | # Check for package manager files diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml index e729658..9a62b2e 100644 --- a/.github/workflows/jekyll-gh-pages.yml +++ b/.github/workflows/jekyll-gh-pages.yml @@ -27,7 +27,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@v6.0.1 - name: Setup Pages uses: actions/configure-pages@v5 - name: Build with Jekyll diff --git a/.github/workflows/language-policy.yml b/.github/workflows/language-policy.yml index f99823b..b4ace90 100644 --- a/.github/workflows/language-policy.yml +++ b/.github/workflows/language-policy.yml @@ -4,7 +4,7 @@ jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.1 - name: Enforce language policies run: | # Block new Python files (except SaltStack) diff --git a/.github/workflows/mirror.yml b/.github/workflows/mirror.yml index f1cc391..32daa47 100644 --- a/.github/workflows/mirror.yml +++ b/.github/workflows/mirror.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest if: vars.GITLAB_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest if: vars.BITBUCKET_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -50,7 +50,7 @@ jobs: runs-on: ubuntu-latest if: vars.CODEBERG_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -68,7 +68,7 @@ jobs: runs-on: ubuntu-latest if: vars.SOURCEHUT_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -86,7 +86,7 @@ jobs: runs-on: ubuntu-latest if: vars.DISROOT_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -104,7 +104,7 @@ jobs: runs-on: ubuntu-latest if: vars.GITEA_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -122,7 +122,7 @@ jobs: runs-on: ubuntu-latest if: vars.RADICLE_MIRROR_ENABLED == 'true' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 diff --git a/.github/workflows/npm-bun-blocker.yml b/.github/workflows/npm-bun-blocker.yml index 16e7e38..2d18b2b 100644 --- a/.github/workflows/npm-bun-blocker.yml +++ b/.github/workflows/npm-bun-blocker.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Block npm/bun run: | if [ -f "package-lock.json" ] || [ -f "bun.lockb" ] || [ -f ".npmrc" ]; then diff --git a/.github/workflows/quality.yml b/.github/workflows/quality.yml index eab89c5..1fc11b0 100644 --- a/.github/workflows/quality.yml +++ b/.github/workflows/quality.yml @@ -11,7 +11,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check file permissions run: | @@ -43,7 +43,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check documentation run: | MISSING="" diff --git a/.github/workflows/rescript-deno-ci.yml b/.github/workflows/rescript-deno-ci.yml index b83048a..2ab2b1d 100644 --- a/.github/workflows/rescript-deno-ci.yml +++ b/.github/workflows/rescript-deno-ci.yml @@ -5,7 +5,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.1 - uses: denoland/setup-deno@v2 with: deno-version: v1.x @@ -32,7 +32,7 @@ jobs: security: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v6.0.1 - uses: denoland/setup-deno@v2 - name: Check permissions run: | diff --git a/.github/workflows/rsr-antipattern.yml b/.github/workflows/rsr-antipattern.yml index 8b17fb3..24b19e5 100644 --- a/.github/workflows/rsr-antipattern.yml +++ b/.github/workflows/rsr-antipattern.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check for TypeScript run: | diff --git a/.github/workflows/scorecard-enforcer.yml b/.github/workflows/scorecard-enforcer.yml index a057984..fd4d0b3 100644 --- a/.github/workflows/scorecard-enforcer.yml +++ b/.github/workflows/scorecard-enforcer.yml @@ -18,7 +18,7 @@ jobs: security-events: write id-token: write # For OIDC steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: persist-credentials: false @@ -53,7 +53,7 @@ jobs: check-critical: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Check SECURITY.md exists run: | diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index f9d3567..cd9b8b8 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -16,7 +16,7 @@ jobs: security-events: write id-token: write steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: persist-credentials: false diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index c3244ba..9330a02 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -13,7 +13,7 @@ jobs: trufflehog: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 # Full history for scanning @@ -25,7 +25,7 @@ jobs: gitleaks: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 with: fetch-depth: 0 @@ -39,7 +39,7 @@ jobs: runs-on: ubuntu-latest if: hashFiles('**/Cargo.toml') != '' steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4 - name: Check for hardcoded secrets in Rust run: | diff --git a/.github/workflows/security-policy.yml b/.github/workflows/security-policy.yml index 1d280e9..f6498db 100644 --- a/.github/workflows/security-policy.yml +++ b/.github/workflows/security-policy.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Security checks run: | FAILED=false diff --git a/.github/workflows/ts-blocker.yml b/.github/workflows/ts-blocker.yml index 0d721e6..cfead26 100644 --- a/.github/workflows/ts-blocker.yml +++ b/.github/workflows/ts-blocker.yml @@ -10,7 +10,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Block new TypeScript/JavaScript run: | NEW_TS=$(git diff --name-only --diff-filter=A HEAD~1 2>/dev/null | grep -E '\.(ts|tsx)$' | grep -v '\.gen\.' || true) diff --git a/.github/workflows/wellknown-enforcement.yml b/.github/workflows/wellknown-enforcement.yml index 597c087..ff48d9d 100644 --- a/.github/workflows/wellknown-enforcement.yml +++ b/.github/workflows/wellknown-enforcement.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: RFC 9116 security.txt validation run: | diff --git a/.github/workflows/workflow-linter.yml b/.github/workflows/workflow-linter.yml index 78fe1fc..80fb784 100644 --- a/.github/workflows/workflow-linter.yml +++ b/.github/workflows/workflow-linter.yml @@ -22,7 +22,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Check SPDX Headers run: | @@ -72,7 +72,7 @@ jobs: echo "$unpinned" echo "" echo "Replace version tags with SHA pins, e.g.:" - echo " uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1" + echo " uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.1.1" exit 1 fi echo "All actions are SHA-pinned"