From 64c84b501c1cb811465e01854c448548a0960ac0 Mon Sep 17 00:00:00 2001
From: HeavenVR <contact@heavenvr.tech>
Date: Wed, 6 May 2026 22:02:52 +0200
Subject: [PATCH] security: Pin Github Actions

---
 .github/workflows/build-module-base.yml | 18 ++++++-------
 .github/workflows/ci-build.yml          | 34 ++++++++++++-------------
 .github/workflows/ci-tag.yml            | 12 ++++-----
 3 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/build-module-base.yml b/.github/workflows/build-module-base.yml
index 30fb0b0..0b59228 100644
--- a/.github/workflows/build-module-base.yml
+++ b/.github/workflows/build-module-base.yml
@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Check host dependency list is in sync
         run: bash scripts/sync-host-deps.sh
@@ -34,15 +34,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup .NET SDK ${{ env.DOTNET_VERSION }}
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Cache NuGet packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: ~/.nuget/packages
           key: module-base-nuget
@@ -70,7 +70,7 @@ jobs:
         run: dotnet build ModuleBase/ModuleBase.csproj -c Release -o ./publish/ModuleBase -p:PackageVersion=${{ steps.version.outputs.package_version }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: OpenShock Desktop Module Base
           path: ./publish/ModuleBase/**
@@ -87,7 +87,7 @@ jobs:
 
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock Desktop Module Base
           path: ./packages
@@ -105,18 +105,18 @@ jobs:
 
     steps:
       - name: Setup .NET SDK ${{ env.DOTNET_VERSION }}
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock Desktop Module Base
           path: ./packages
 
       - name: Login to NuGet.org with trusted publishing
-        uses: NuGet/login@v1
+        uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841  # v1.2.0
         id: nuget-login
         with:
           user: ${{ secrets.NUGET_USER }}
diff --git a/.github/workflows/ci-build.yml b/.github/workflows/ci-build.yml
index 1740cc5..1d10d5c 100644
--- a/.github/workflows/ci-build.yml
+++ b/.github/workflows/ci-build.yml
@@ -43,10 +43,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup .NET SDK ${{ env.DOTNET_VERSION }}
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
           
@@ -54,7 +54,7 @@ jobs:
         run: dotnet workload install maui-windows
 
       - name: Cache NuGet packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: ~/.nuget/packages
           key: windows-maui-nuget
@@ -65,7 +65,7 @@ jobs:
         run: dotnet publish Desktop/Desktop.csproj -c Release-Windows -o ./publish/Windows-Maui
 
       - name: Upload OpenShock Desktop Windows artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: OpenShock Desktop Windows MAUI
           path: publish/Windows-Maui/*
@@ -79,13 +79,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           sparse-checkout: |
             Installer
 
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock Desktop Windows MAUI
           path: publish/
@@ -94,13 +94,13 @@ jobs:
         run: choco install nsis -y
         
       - name: Create nsis installer
-        uses: joncloud/makensis-action@publish
+        uses: joncloud/makensis-action@971ef20f43e4f9f3af2c7f276cb7348d033da1cd  # v5.0
         with:
           script-file: ${{ github.workspace }}/Installer/installer.nsi
           additional-plugin-paths: ${{ github.workspace }}/Installer/Plugins
           
       - name: Upload OpenShock Desktop Windows Setup
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: OpenShock_Desktop_Setup
           path: Installer/OpenShock_Desktop_Setup.exe
@@ -114,13 +114,13 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
 
       - name: Log in to Container Registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  # v4.1.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -128,7 +128,7 @@ jobs:
           
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf  # v6.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/desktop
           flavor: |
@@ -144,7 +144,7 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}.{{patch}}
 
       - name: Build and push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f  # v7.1.0
         with:
           context: .
           file: Dockerfile
@@ -163,15 +163,15 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
 
       - name: Setup .NET SDK ${{ env.DOTNET_VERSION }}
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
         with:
           dotnet-version: ${{ env.DOTNET_VERSION }}
 
       - name: Cache NuGet packages
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: ~/.nuget/packages
           key: linux-photino-nuget
@@ -182,7 +182,7 @@ jobs:
         run: dotnet publish Desktop/Desktop.csproj -c Release-Photino -o ./publish/Photino-Linux
 
       - name: Upload OpenShock Desktop Photino Linux artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: OpenShock Desktop Photino Linux
           path: publish/Photino-Linux/*
diff --git a/.github/workflows/ci-tag.yml b/.github/workflows/ci-tag.yml
index 8e1cfdb..2eba0a8 100644
--- a/.github/workflows/ci-tag.yml
+++ b/.github/workflows/ci-tag.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       - name: Find latest tag
         id: latest-tag
-        uses: oprypin/find-latest-tag@v1
+        uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1  # v1.1.2
         continue-on-error: true
         with:
           repository: ${{ github.repository }}
@@ -36,7 +36,7 @@ jobs:
     steps:
       - name: Find latest RC tag
         id: latest-rc
-        uses: oprypin/find-latest-tag@v1
+        uses: oprypin/find-latest-tag@dd2729fe78b0bb55523ae2b2a310c6773a652bd1  # v1.1.2
         continue-on-error: true
         with:
           repository: ${{ github.repository }}
@@ -68,19 +68,19 @@ jobs:
       contents: write
     steps:
       - name: Download Windows installer
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock_Desktop_Setup
           path: artifacts/
 
       - name: Download Linux Photino
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock Desktop Photino Linux
           path: artifacts/photino-linux/
 
       - name: Download Module Base
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: OpenShock Desktop Module Base
           path: artifacts/module-base/
@@ -91,7 +91,7 @@ jobs:
           cd artifacts/module-base && zip -r ../OpenShock.Desktop.Module.Base.zip . && cd ../..
 
       - name: Create draft release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda  # v3.0.0
         with:
           tag_name: ${{ github.ref_name }}
           name: ${{ github.ref_name }}