From d5e3115db871f015d03cd5bc1f47dfe28d427ce0 Mon Sep 17 00:00:00 2001 From: Nicklas Lundin Date: Wed, 20 May 2026 12:59:12 +0200 Subject: [PATCH] fix(ci): pin GitHub Actions to commit SHAs Mitigate supply chain attacks by pinning all third-party actions to immutable commit SHAs. Upgrade actions/checkout from v2 to v4. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/android-test.yaml | 6 +++--- .github/workflows/ci.yaml | 6 +++--- .github/workflows/ios-test.yaml | 6 +++--- .github/workflows/lint-pr.yaml | 6 +++--- .github/workflows/release-please.yaml | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/workflows/android-test.yaml b/.github/workflows/android-test.yaml index 03f6211..ebb0d9a 100644 --- a/.github/workflows/android-test.yaml +++ b/.github/workflows/android-test.yaml @@ -16,12 +16,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - run: echo API_KEY=${{ secrets.TEST_API_KEY }} > example/.env - name: Set up Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2 with: flutter-version: ${{ env.FLUTTER_VERSION }} channel: ${{ env.FLUTTER_CHANNEL }} @@ -37,7 +37,7 @@ jobs: sudo udevadm trigger --name-match=kvm - name: run android tests - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 with: api-level: 29 script: cd example && flutter drive --driver=test_drive/integration_test.dart --target=test/widget_test.dart \ No newline at end of file diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 82a7ebc..735c417 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -16,19 +16,19 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: fetch submodules run: git submodule update --init --recursive - name: Set up JDK 17 - uses: actions/setup-java@v3 + uses: actions/setup-java@17f84c3641ba7b8f6deff6309fc4c864478f5d62 # v3 with: java-version: 17 distribution: 'zulu' - name: Set up Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2 with: flutter-version: ${{ env.FLUTTER_VERSION }} channel: ${{ env.FLUTTER_CHANNEL }} diff --git a/.github/workflows/ios-test.yaml b/.github/workflows/ios-test.yaml index 6d8b59f..9a86374 100644 --- a/.github/workflows/ios-test.yaml +++ b/.github/workflows/ios-test.yaml @@ -16,7 +16,7 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: fetch submodules run: git submodule update --init --recursive @@ -33,12 +33,12 @@ jobs: working-directory: ios/Classes run: git rm confidence-sdk - - uses: futureware-tech/simulator-action@v3 + - uses: futureware-tech/simulator-action@bfa03d93ec9de6dacb0c5553bbf8da8afc6c2ee9 # v3 with: model: 'iPhone 16' - name: Set up Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2 with: flutter-version: ${{ env.FLUTTER_VERSION }} channel: ${{ env.FLUTTER_CHANNEL }} diff --git a/.github/workflows/lint-pr.yaml b/.github/workflows/lint-pr.yaml index 2a3907e..5669e87 100644 --- a/.github/workflows/lint-pr.yaml +++ b/.github/workflows/lint-pr.yaml @@ -12,12 +12,12 @@ jobs: name: Validate PR title runs-on: ubuntu-latest steps: - - uses: amannn/action-semantic-pull-request@v5 + - uses: amannn/action-semantic-pull-request@e32d7e603df1aa1ba07e981f2a23455dee596825 # v5 id: lint_pr_title env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: marocchino/sticky-pull-request-comment@v2 + - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2 # When the previous steps fails, the workflow would stop. By adding this # condition you can continue the execution with the populated error message. if: always() && (steps.lint_pr_title.outputs.error_message != null) @@ -36,7 +36,7 @@ jobs: # Delete a previous comment when the issue has been resolved - if: ${{ steps.lint_pr_title.outputs.error_message == null }} - uses: marocchino/sticky-pull-request-comment@v2 + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2 with: header: pr-title-lint-error delete: true diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml index d5a1373..cdf3485 100644 --- a/.github/workflows/release-please.yaml +++ b/.github/workflows/release-please.yaml @@ -10,7 +10,7 @@ jobs: # Release-please creates a PR that tracks all changes steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4 id: release with: command: manifest @@ -33,7 +33,7 @@ jobs: FLUTTER_VERSION: 3.27.3 if: ${{ needs.release-please.outputs.release_created }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: ${{ needs.release-please.outputs.release_tag_name }} @@ -41,7 +41,7 @@ jobs: run: git submodule update --init --recursive - name: Set up Flutter - uses: subosito/flutter-action@v2 + uses: subosito/flutter-action@1a449444c387b1966244ae4d4f8c696479add0b2 # v2 with: flutter-version: ${{ env.FLUTTER_VERSION }} channel: ${{ env.FLUTTER_CHANNEL }}