Update and pin workflows (#904)

* update workflow action versions

* update rest of actions

* Pin workflows to sha

Author: davidliu

.github/workflows/android.yml

@@ -28,18 +28,18 @@ jobs:
         working-directory: ./client-sdk-android
     steps:
     - name: checkout client-sdk-android
-      uses: actions/checkout@v4.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         path: ./client-sdk-android
         submodules: recursive
 
     - name: set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         java-version: '17'
         distribution: 'adopt'
 
-    - uses: actions/cache@v4
+    - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: |
           ~/.gradle/caches
@@ -62,7 +62,7 @@ jobs:
       run: ./gradlew assembleRelease livekit-android-test:testRelease
 
     - name: Upload AAR
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: livekit-android-sdk-release.aar
         path: client-sdk-android/livekit-android-sdk/build/outputs/aar/livekit-android-sdk-release.aar
@@ -187,7 +187,7 @@ jobs:
       # Setting up diffuse artifacts
     - name: Setup cache for base source file for diffuse
       if: github.event_name == 'push'
-      uses: actions/cache@v4
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: client-sdk-android/diffuse-source-file
         key: diffuse-${{ github.sha }}
@@ -200,7 +200,7 @@ jobs:
 
     - name: Repository Dispatch
       if: github.event_name == 'push'
-      uses: peter-evans/repository-dispatch@v2
+      uses: peter-evans/repository-dispatch@bf47d102fdb849e755b0b0023ea3e81a44b6f570 # v2.1.2
       with:
         token: ${{ secrets.E2E_DISPATCH_TOKEN }}
         repository: livekit/e2e-android
@@ -213,26 +213,26 @@ jobs:
     name: Diffuse checker
     needs: build
     steps:
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           java-version: '17'
           distribution: 'adopt'
 
       # Diffuse checking for pull requests
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         name: Download base source AAR for diffuse
         with:
           path: client-sdk-android/diffuse-source-file
           key: diffuse-${{ github.event.pull_request.base.sha }}
 
-      - uses: actions/download-artifact@v5
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         name: Download current release AAR for diffuse
         with:
           name: livekit-android-sdk-release.aar
           path: client-sdk-android/
 
       - id: diffuse
-        uses: usefulness/diffuse-action@v1
+        uses: usefulness/diffuse-action@41995fe8ff6be0a8847e63bdc5a4679c704b455c # v0.11.0
         with:
           old-file-path: client-sdk-android/diffuse-source-file
           new-file-path: client-sdk-android/livekit-android-sdk-release.aar
@@ -244,14 +244,14 @@ jobs:
 
       # Consuming diffuse action output
 
-      - uses: peter-evans/find-comment@v4
+      - uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
         if: github.event.pull_request.head.repo.full_name == github.repository
         id: find_comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body-includes: Diffuse output
 
-      - uses: peter-evans/create-or-update-comment@v5
+      - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: github.event.pull_request.head.repo.full_name == github.repository && (steps.diffuse.outputs.diff-raw != null || steps.find_comment.outputs.comment-id != null)
         with:
           body: |
@@ -263,7 +263,7 @@ jobs:
           issue-number: ${{ github.event.pull_request.number }}
           token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: diffuse-output
           path: ${{ steps.diffuse.outputs.diff-file }}

.github/workflows/changesets.yml

@@ -19,16 +19,16 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
         with:
-          version: 9
+          version: 10
 
-      - name: Use Node.js 20
-        uses: actions/setup-node@v4
+      - name: Use Node.js 24
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 24
           cache: "pnpm"
 
       - name: Install dependencies
@@ -46,7 +46,7 @@ jobs:
 
       - name: Create Release Pull Request
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
         with:
           title: ${{ steps.getver.outputs.TITLE }}
           commit: ${{ steps.getver.outputs.TITLE }}
@@ -79,13 +79,13 @@ jobs:
         working-directory: ./client-sdk-android
     steps:
       - name: checkout client-sdk-android
-        uses: actions/checkout@v4.0.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           path: ./client-sdk-android
           submodules: recursive
 
       - name: set up JDK 17
-        uses: actions/setup-java@v3.12.0
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           java-version: '17'
           distribution: 'adopt'
@@ -135,7 +135,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Update snapshot
         id: update
@@ -147,7 +147,7 @@ jobs:
         run: echo $SNAPSHOT_VERSION
 
       - name: Create Update SNAPSHOT Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           token: ${{ secrets.CHANGESET_GH_TOKEN }}
           branch: dl/update_snapshot_ver
@@ -162,14 +162,14 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get version
         id: version
         run: echo "VERSION=$(./ci/get_version.sh)" >> "$GITHUB_OUTPUT"
 
       - name: Dispatch to components-android
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1
         with:
           token: ${{ secrets.E2E_DISPATCH_TOKEN }}
           repository: livekit/components-android

.github/workflows/dependency_diff.yml

@@ -18,18 +18,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: actions/setup-java@v4
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
           distribution: 'adopt'
           java-version: 17
 
-      - uses: gradle/actions/setup-gradle@v4
+      - uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6.0.1
 
       - id: dependency-diff
         name: Generate dependency diff
-        uses: usefulness/dependency-tree-diff-action@v2
+        uses: usefulness/dependency-tree-diff-action@59b54501869fa22e102545c8a3a006aa3c3a3c2e # v2.2.0
         with:
           project: 'livekit-android-sdk'
 
@@ -38,14 +38,14 @@ jobs:
           echo "Dependency diff:"
           echo "${{ steps.dependency-diff.outputs.text-diff }}"
 
-      - uses: peter-evans/find-comment@v4
+      - uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
         if: github.event.pull_request.head.repo.full_name == github.repository
         id: find_comment
         with:
           issue-number: ${{ github.event.pull_request.number }}
           body-includes: Dependency diff
 
-      - uses: peter-evans/create-or-update-comment@v5
+      - uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         if: github.event.pull_request.head.repo.full_name == github.repository && (steps.dependency-diff.outputs.text-diff != null || steps.find_comment.outputs.comment-id != null)
         with:
           body: |

.github/workflows/release.yml

@@ -11,13 +11,13 @@ jobs:
         working-directory: ./client-sdk-android
     steps:
     - name: checkout client-sdk-android
-      uses: actions/checkout@v4.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         path: ./client-sdk-android
         submodules: recursive
 
-    - name: set up JDK 12
-      uses: actions/setup-java@v3.12.0
+    - name: set up JDK 17
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
         java-version: '17'
         distribution: 'adopt'

.github/workflows/update_snapshot_pr.yml

@@ -16,7 +16,7 @@ jobs:
 
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Update snapshot
         id: update
@@ -28,7 +28,7 @@ jobs:
         run: echo $SNAPSHOT_VERSION
 
       - name: Create Update SNAPSHOT Pull Request
-        uses: peter-evans/create-pull-request@v6
+        uses: peter-evans/create-pull-request@c5a7806660adbe173f04e3e038b0ccdcd758773c # v6.1.0
         with:
           token: ${{ secrets.CHANGESET_GH_TOKEN }}
           branch: dl/update_snapshot_ver