ci: pin all GitHub Actions to full SHA digests

Pin every third-party GitHub Action to its current commit SHA with a version comment, eliminating supply chain risk from mutable version tags. Mutable tags (v4, v2, etc.) can be force-pushed by upstream maintainers; SHA digests are immutable. 18 unique actions pinned across 9 workflow files. Closes #357 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 17:32:18 +01:00 · 2026-02-16 17:32:18 +01:00 · 9df5a07640
commit 9df5a07640
parent 639032c952
9 changed files with 43 additions and 43 deletions
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@ -24,10 +24,10 @@ jobs:
        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
        timeout-minutes: 20
        steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

-            - uses: dtolnay/rust-toolchain@stable
-            - uses: Swatinem/rust-cache@v2
+            - uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable
+            - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2

            - name: Install cargo-audit
              run: cargo install --locked cargo-audit --version 0.22.1
@ -40,8 +40,8 @@ jobs:
        runs-on: ${{ github.event_name != 'pull_request' && fromJSON('["self-hosted","Linux","X64","lxc-ci"]') || 'ubuntu-latest' }}
        timeout-minutes: 20
        steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

-            - uses: EmbarkStudios/cargo-deny-action@v2
+            - uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2
              with:
                  command: check advisories licenses sources