Use commit hashes instead of release tags in GitHub Actions workflow …

…actions, as per OpenSSF Scorecard best practices (https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies). RELNOTES: n/a PiperOrigin-RevId: 568295292 Change-Id: Ib3ead92f8ddd469141f54387b1ccb83d1929583a
google · Sep 25, 2023 · b88b19e · b88b19e
1 parent c0597fa
commit b88b19e
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 6 deletions.
diff --git a/.github/workflows/draft-github-release.yml b/.github/workflows/draft-github-release.yml
@@ -9,12 +9,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/[email protected]
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           # We need to fetch the full repository in order to write complete
           # release notes.
           fetch-depth: 0
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
       - name: Run Release Draft Script

diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.0.0 # v3.1.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           persist-credentials: false
 

diff --git a/.github/workflows/publish-on-npm.yml b/.github/workflows/publish-on-npm.yml
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # This action checks out at the commit of the tagged release.
-      - uses: actions/checkout@v4.0.0
+      - uses: actions/3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       # Install all deps in preparation for creating a release.
       # Unlike publishing, this is done using the normal NPM registry
       # to download deps.
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
       # TODO: We should check in a lockfile and use npm ci here instead.
@@ -29,7 +29,7 @@ jobs:
       # Re-setup node using Wombat Dressing Room as the registry
       # The actual NodeJS binaries and such are cached, so doing this
       # twice isn't particularly expensive.
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
           registry-url: https://wombat-dressing-room.appspot.com