build: pin workflow digests

setchy · setchy · commit 99e74dda9e43 · 2025-02-21T14:51:51.000-05:00
Signed-off-by: Adam Setch &lt;adam.setch@outlook.com&gt;
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -3,28 +3,40 @@ name: Build
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   build-macos:
     name: Build macOS (electron-builder)
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
       - run: pnpm prepare:remove-source-maps
       - run: pnpm package:macos --publish=never -c.mac.identity=null
         env:
           CSC_LINK: ${{ secrets.mac_certs }}
           CSC_KEY_PASSWORD: ${{ secrets.mac_certs_password }}
+      
       - name: Clean up builds
         run: rm -rfv dist/mac-universal
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-dist-mac
           path: dist/
@@ -35,19 +47,28 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
       - run: pnpm prepare:remove-source-maps
       - run: pnpm package:win --publish=never
+      
       - name: Clean up builds
         run: Remove-Item dist/win-unpacked -Recurse
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-dist-win
           path: dist
@@ -58,19 +79,28 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
       - run: pnpm prepare:remove-source-maps
       - run: pnpm package:linux --publish=never
+      
       - name: Clean up builds
         run: rm -rfv dist/linux-unpacked
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-dist-linux
           path: dist
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -3,18 +3,27 @@ name: Lint
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: biomejs
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm lint:check
           
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -13,12 +13,18 @@ jobs:
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
         env:
@@ -34,7 +40,9 @@ jobs:
           CSC_KEY_PASSWORD: ${{ secrets.mac_certs_password }}
           GH_TOKEN: ${{ secrets.github_token }}
           NOTARIZE: true
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-release-mac
           path: dist/
@@ -45,12 +53,18 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
         env:
@@ -60,7 +74,9 @@ jobs:
       - run: pnpm package:win --publish onTagOrDraft
         env:
           GH_TOKEN: ${{ secrets.github_token }}
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-release-win
           path: dist/
@@ -71,12 +87,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm build
         env:
@@ -86,7 +108,9 @@ jobs:
       - run: pnpm package:linux --publish onTagOrDraft
         env:
           GH_TOKEN: ${{ secrets.github_token }}
-      - uses: actions/upload-artifact@v4
+      
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: Gitify-release-linux
           path: dist/
diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml
@@ -10,18 +10,28 @@ on:
     paths:
       - renovate.json
 
+permissions:
+  contents: read
+
 jobs:
   renovate-config-validator:
     name: Config validation
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version-file: .nvmrc
-      - uses: pnpm/action-setup@v3
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
         with:
           run_install: false
+
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        with:
+          node-version-file: .nvmrc
+      
       - run: pnpm install --global renovate
+      
       - name: Validate Renovate config
         run: renovate-config-validator
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -3,23 +3,33 @@ name: Test
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   run-unit-tests:
     name: Run Tests
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
       - run: pnpm tsc --noEmit
       - run: pnpm test --coverage --runInBand --verbose
+      
       - name: Archive code coverage results
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v4.6.1
         with:
           name: code-coverage-report
           path: coverage/lcov.info
@@ -32,22 +42,30 @@ jobs:
     if: github.event.pull_request.head.repo.fork == false  
     
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
-      - uses: pnpm/action-setup@v3
-      - uses: actions/setup-node@v4
+      
+      - name: Setup pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+      
+      - name: Setup Node
+        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
           node-version-file: '.nvmrc'
           cache: 'pnpm'
+      
       - run: pnpm install
+     
       - name: Download a single artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v4.1.8
         with:
           name: code-coverage-report
           path: coverage/
+      
       - name: SonarQube Cloud Scan
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@v5.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
@@ -21,7 +21,7 @@ jobs:
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v7
+      - uses: actions/github-script@v7.0.1
         with:
           script: |
             const title = context.payload.pull_request.title;
@@ -45,4 +45,4 @@ jobs:
     name: Auto-label PR
     runs-on: ubuntu-latest
     steps:
-      - uses: fuxingloh/multi-labeler@v4
+      - uses: fuxingloh/multi-labeler@v4.0.0
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
@@ -6,6 +6,9 @@ on:
       - v*.*.*
   workflow_dispatch: # For manually verify website deployment
 
+permissions:
+  contents: read
+
 jobs:
   redeploy-website:
     name: Deploy Website
diff --git a/renovate.json b/renovate.json
@@ -5,7 +5,8 @@
     ":separateMultipleMajorReleases",
     ":enableVulnerabilityAlerts",
     "schedule:weekly",
-    "customManagers:biomeVersions"
+    "customManagers:biomeVersions",
+    "helpers:pinGitHubActionDigests"
   ],
   "labels": ["dependency"],
   "prConcurrentLimit": 5,
