From 9e363ca6b2adfd4a7d549d28a8d5ae5594d489f8 Mon Sep 17 00:00:00 2001 From: Kaze <230549489+kaze-cow@users.noreply.github.com> Date: Tue, 7 Apr 2026 15:20:11 +0900 Subject: [PATCH] ci: pin actions to commit hashes Replaces mutable version tags with locked commit SHAs to prevent supply chain attacks from compromised or force-pushed tags. --- .github/workflows/add-action-project.yml | 2 +- .github/workflows/ci.yml | 6 +++--- .github/workflows/cla.yml | 2 +- .github/workflows/gas.yml | 8 ++++---- .github/workflows/lint.yml | 4 ++-- .github/workflows/publish.yml | 2 +- .github/workflows/review-check.yml | 2 +- .github/workflows/test.yml | 8 ++++---- 8 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/add-action-project.yml b/.github/workflows/add-action-project.yml index ce969e76..78d3bea7 100644 --- a/.github/workflows/add-action-project.yml +++ b/.github/workflows/add-action-project.yml @@ -10,7 +10,7 @@ jobs: name: Add issue to project runs-on: ubuntu-latest steps: - - uses: actions/add-to-project@v0.3.0 + - uses: actions/add-to-project@a9f041ddd462ed185893ea1024cec954f50dbe42 # v0.3.0 with: project-url: https://github.com/orgs/cowprotocol/projects/8 github-token: ${{ secrets.ADD_TO_PROJECT_PAT }} diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cbc52d4a..c5627aad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,13 +13,13 @@ jobs: os: [ubuntu-latest] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} - id: yarn-cache run: echo "::set-output name=dir::$(yarn cache dir)" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache.outputs.dir }} key: ${{ matrix.os }}-yarn-${{ hashFiles('**/yarn.lock') }} diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml index 5ab79ff7..a6550dbc 100644 --- a/.github/workflows/cla.yml +++ b/.github/workflows/cla.yml @@ -12,7 +12,7 @@ jobs: steps: - name: "CLA Assistant" if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target' - uses: contributor-assistant/github-action@v2.6.1 + uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/gas.yml b/.github/workflows/gas.yml index 40a3b44d..1d4777f5 100644 --- a/.github/workflows/gas.yml +++ b/.github/workflows/gas.yml @@ -27,14 +27,14 @@ jobs: gas: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - id: yarn-cache run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache.outputs.dir }} key: yarn-${{ hashFiles('**/yarn.lock') }} @@ -43,7 +43,7 @@ jobs: - run: yarn --frozen-lockfile - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # v1 with: version: v1.3.5 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7c790958..d196fd14 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -22,12 +22,12 @@ jobs: name: Foundry project runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # v1 with: version: v1.3.5 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 5288312e..9058e8ba 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,7 +12,7 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 - name: Print warning run: echo 'Publishing this branch to NPM is not supported' - name: Make the action fail diff --git a/.github/workflows/review-check.yml b/.github/workflows/review-check.yml index c52f02c5..3160225c 100644 --- a/.github/workflows/review-check.yml +++ b/.github/workflows/review-check.yml @@ -10,7 +10,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: Check if PR modifies specific path shell: bash diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5ba613cd..f7f94f74 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -32,14 +32,14 @@ jobs: name: Foundry project runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: submodules: recursive - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 - id: yarn-cache run: echo "dir=$(yarn cache dir)" >> "$GITHUB_OUTPUT" - - uses: actions/cache@v4 + - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: ${{ steps.yarn-cache.outputs.dir }} key: yarn-${{ hashFiles('**/yarn.lock') }} @@ -48,7 +48,7 @@ jobs: - run: yarn --frozen-lockfile - name: Install Foundry - uses: foundry-rs/foundry-toolchain@v1 + uses: foundry-rs/foundry-toolchain@8789b3e21e6c11b2697f5eb56eddae542f746c10 # v1 with: version: v1.3.5