ENH: Pin GitHub actions to full length commit SHA

jcfr · jcfr · commit c47ba0836bba · 2024-08-20T11:00:35.000-04:00
GitHub's security hardening guide recommends this mitigation method. https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
diff --git a/.github/workflows/commit-message.yml b/.github/workflows/commit-message.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check Commit Prefix
-        uses: gsactions/commit-message-checker@v2
+        uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
         with:
           pattern: "^(ENH|PERF|BUG|STYLE|DOC|COMP): ([A-Z])+"
           flags: "gm"
@@ -29,7 +29,7 @@ jobs:
           checkAllCommitMessages: "true" # optional: this checks all commits associated with a pull request
           accessToken: ${{ secrets.GITHUB_TOKEN }} # github access token is only required if checkAllCommitMessages is true
       - name: Check Line Length
-        uses: gsactions/commit-message-checker@v2
+        uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
         with:
           pattern: "^[^#].{1,78}$"
           error: "The maximum line length of 78 characters is exceeded. For more details, see https://slicer.readthedocs.io/en/latest/developer_guide/style_guide.html#commits"
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -15,15 +15,15 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
 
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
   pre-commit-cookie:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - run: pipx run nox -s 'pre-commit-cookie'
diff --git a/{{cookiecutter.project_name}}/.github/workflows/commit-message.yml b/{{cookiecutter.project_name}}/.github/workflows/commit-message.yml
@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check Commit Prefix
-        uses: gsactions/commit-message-checker@v2
+        uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
         with:
           pattern: "^(ENH|PERF|BUG|STYLE|DOC|COMP): ([A-Z])+"
           flags: "gm"
@@ -29,7 +29,7 @@ jobs:
           checkAllCommitMessages: "true" # optional: this checks all commits associated with a pull request
           accessToken: {% raw %}${{ secrets.GITHUB_TOKEN }}{% endraw %} # github access token is only required if checkAllCommitMessages is true
       - name: Check Line Length
-        uses: gsactions/commit-message-checker@v2
+        uses: gsactions/commit-message-checker@16fa2d5de096ae0d35626443bcd24f1e756cafee # v2.0.0
         with:
           pattern: "^[^#].{1,78}$"
           error: "The maximum line length of 78 characters is exceeded. For more details, see https://slicer.readthedocs.io/en/latest/developer_guide/style_guide.html#commits"
diff --git a/{{cookiecutter.project_name}}/.github/workflows/lint.yml b/{{cookiecutter.project_name}}/.github/workflows/lint.yml
@@ -15,10 +15,10 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: "3.9"
 
-      - uses: pre-commit/action@v3.0.1
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
