From 3106e622e624d1ab7d3f692a87fff934468f8d10 Mon Sep 17 00:00:00 2001
From: Marvin Vogt <m@rvinvogt.com>
Date: Sun, 6 Oct 2024 16:41:25 +0000
Subject: [PATCH] Pin all workflow actions to specific SHA

---
 .github/workflows/benchmark.yml |  6 +++---
 .github/workflows/links.yml     |  6 +++---
 .github/workflows/test.yml      | 12 ++++++------
 .github/workflows/verify.yml    | 18 ++++++++++--------
 4 files changed, 22 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index fd427b1..8cf7f30 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -14,9 +14,9 @@ jobs:
   benchmarks:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: Setup rust toolchain, cache and cargo-codspeed binary
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@e013866c4215f77c925f42f60257dec7dd18836e
         with:
           channel: stable
           cache-target: release
@@ -24,7 +24,7 @@ jobs:
       - name: Build the benchmark target(s)
         run: cargo codspeed build
       - name: Run the benchmarks
-        uses: CodSpeedHQ/action@v3
+        uses: CodSpeedHQ/action@ab07afd34cbbb7a1306e8d14b7cc44e029eee37a
         with:
           run: cargo codspeed run
           token: ${{ secrets.CODSPEED_TOKEN }}
diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml
index 0d0e109..376230e 100644
--- a/.github/workflows/links.yml
+++ b/.github/workflows/links.yml
@@ -14,13 +14,13 @@ jobs:
   link-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: Check for broken links
         id: lychee
-        uses: lycheeverse/lychee-action@v1
+        uses: lycheeverse/lychee-action@2b973e86fc7b1f6b36a93795fe2c9c6ae1118621
       - name: Create Issue From File
         if: env.lychee_exit_code != 0
-        uses: peter-evans/create-issue-from-file@v5
+        uses: peter-evans/create-issue-from-file@e8ef132d6df98ed982188e460ebb3b5d4ef3a9cd
         with:
           title: Link Checker Report
           content-filepath: ./lychee/out.md
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f32497f..b833075 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,22 +18,22 @@ jobs:
       matrix:
         rust_version: ["1.74", "stable"]
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@master
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
         with:
           toolchain: ${{ matrix.rust_version }}
           components: llvm-tools-preview
-      - uses: Swatinem/rust-cache@v2
-      - uses: taiki-e/install-action@v2
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: taiki-e/install-action@6d49eff78fe8ad9f571fb25522747f2d9e84be6b
         with:
           tool: cargo-llvm-cov
-      - uses: extractions/setup-just@v2
+      - uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6
 
       - name: Test
         run: just test
 
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v4.5.0
+        uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238
         with:
           name: Rust ${{ matrix.rust_version }}
           files: lcov.info
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 76ca232..b601931 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -12,18 +12,20 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: Swatinem/rust-cache@v2
-      - uses: extractions/setup-just@v2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: dtolnay/rust-toolchain@1482605bfc5719782e1267fd0c0cc350fe7646b8
+        with:
+          toolchain: stable
+      - uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84
+      - uses: extractions/setup-just@dd310ad5a97d8e7b41793f8ef055398d51ad4de6
 
       - run: just lint
   spellcheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
       - name: check for typos
-        uses: crate-ci/typos@v1.25.0
+        uses: crate-ci/typos@f12cee1d8f3c79282a98ecb41d235aef17dfa8fd
   cargo-deny:
     runs-on: ubuntu-latest
     strategy:
@@ -34,7 +36,7 @@ jobs:
     # Prevent sudden announcement of a new advisory from failing CI:
     continue-on-error: ${{ matrix.checks == 'advisories' }}
     steps:
-      - uses: actions/checkout@v4
-      - uses: EmbarkStudios/cargo-deny-action@v2
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
+      - uses: EmbarkStudios/cargo-deny-action@8371184bd11e21dcf8ac82ebf8c9c9f74ebf7268
         with:
           command: check ${{ matrix.checks }}