diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a85d089d..752d9cd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,8 +15,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v5 - - uses: oven-sh/setup-bun@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 with: bun-version: latest - run: bun install --frozen-lockfile @@ -34,15 +34,15 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v5 - - uses: oven-sh/setup-bun@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 with: bun-version: latest - run: bun install --frozen-lockfile - run: bun playwright install chromium firefox webkit - run: bun run build - run: bun run test:e2e --reporter=github,html - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: playwright-report @@ -54,8 +54,8 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v5 - - uses: oven-sh/setup-bun@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 with: bun-version: latest - run: bun install --frozen-lockfile diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 5bebf3e4..68482aa1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -27,7 +27,7 @@ jobs: - language: javascript-typescript build-mode: none steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - uses: github/codeql-action/init@8a06050a8c0348fb4738f28e0cfbb6727cf054ce # v4 with: languages: ${{ matrix.language }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index caef090e..75a30507 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -17,21 +17,21 @@ jobs: contents: read deployments: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 with: fetch-depth: 0 # full history to get the last tagged git commit - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: .wrangler/state key: wrangler-${{ github.run_id }} restore-keys: | wrangler- - - uses: oven-sh/setup-bun@v2 + - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2 with: bun-version: latest - run: bun install --frozen-lockfile - run: bun run build - - uses: cloudflare/wrangler-action@v3 + - uses: cloudflare/wrangler-action@da0e0dfe58b7a431659754fdf3f186c529afbe65 # v3 with: accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }} apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }} diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 728d05f7..a7f1ccef 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -14,13 +14,13 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 5 container: - image: semgrep/semgrep + image: semgrep/semgrep@sha256:4372a1de903521f9f10f877b6caf15d150d17e1ca592582682c8d02b77cbd4f6 permissions: actions: read contents: read security-events: write steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 - run: semgrep ci --sarif-output=semgrep.sarif env: SEMGREP_RULES: p/default p/owasp-top-ten p/cwe-top-25 p/gitleaks p/r2c-security-audit diff --git a/.github/workflows/typos.yml b/.github/workflows/typos.yml index f1f3cd3e..0d5507a3 100644 --- a/.github/workflows/typos.yml +++ b/.github/workflows/typos.yml @@ -14,5 +14,5 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@v5 - - uses: crate-ci/typos@v1 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - uses: crate-ci/typos@80c8a4945eec0f6d464eaf9e65ed98ef085283d1 # v1