PYTHON-5353 Use pinned sources for GitHub Actions (#333)

2025-04-29 13:56:32 -05:00 · 2025-04-29 13:56:32 -05:00 · 83f735ad45
commit 83f735ad45
parent c291853a13
4 changed files with 7 additions and 7 deletions
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -55,7 +55,7 @@ jobs:

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3
      with:
        languages: ${{ matrix.language }}
        build-mode: none
@ -71,6 +71,6 @@ jobs:
        pip install -e .

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -79,14 +79,14 @@ jobs:
          name: all-dist-${{ github.run_id }}
          path: dist/
      - name: Publish package distributions to TestPyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1
        with:
          repository-url: https://test.pypi.org/legacy/
          skip-existing: true
          attestations: ${{ env.DRY_RUN }}
      - name: Publish package distributions to PyPI
        if: startsWith(env.DRY_RUN, 'false')
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # release/v1

  post-publish:
    needs: [publish]
--- a/.github/workflows/test-python.yml
+++ b/.github/workflows/test-python.yml
@ -83,7 +83,7 @@ jobs:
      - name: Run linkcheck
        run: tox -m linkcheck
      - name: Start MongoDB
-        uses: supercharge/mongodb-github-action@1.12.0
+        uses: supercharge/mongodb-github-action@90004df786821b6308fb02299e5835d0dae05d0d # 1.12.0
        with:
          mongodb-version: 5.0
      - name: Run doctest
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -18,7 +18,7 @@ jobs:
        with:
          persist-credentials: false
      - name: Setup Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
+        uses: actions-rust-lang/setup-rust-toolchain@9d7e65c320fdb52dcd45ffaa68deb6c02c8754d9 # v1
      - name: Get zizmor
        run: cargo install zizmor
      - name: Run zizmor
@ -26,7 +26,7 @@ jobs:
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 # v3
        with:
          sarif_file: results.sarif
          category: zizmor