Be a bit more strict with actions version

To be very secure, we should pin all to a commit SHA [1] but I think this might be a reasonable compromise since we're only using actions from well known organizations. [1]: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
line · Nov 9, 2023 · 1e1d5d6 · 1e1d5d6
1 parent e56aa7a
commit 1e1d5d6
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 10 deletions.
diff --git a/.github/workflows/django.yml b/.github/workflows/django.yml
@@ -36,8 +36,8 @@ jobs:
           --health-retries=3
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4.1.1
+      - uses: actions/setup-python@v4.7.1
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -18,11 +18,11 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v4.1.1
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.0.0
         with:
           images: line/promgen
           tags: |
@@ -33,13 +33,13 @@ jobs:
 
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.0.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v5.0.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -21,8 +21,8 @@ jobs:
         python-version: ["3.9"]
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@v4.1.1
+      - uses: actions/setup-python@v4.7.1
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
@@ -40,7 +40,7 @@ jobs:
           SECRET_KEY: github-actions
 
       - name: Upload pages artifact
-        uses: actions/upload-pages-artifact@v2
+        uses: actions/upload-pages-artifact@v2.0.0
         with:
           path: 'dist/html'
 
@@ -59,4 +59,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v2
+        uses: actions/deploy-pages@v2.0.4