From b88b19e2bd09eaf2e504fac8b8aa3e241e0d10be Mon Sep 17 00:00:00 2001
From: James Wright <jameswr@google.com>
Date: Mon, 25 Sep 2023 12:34:48 -0700
Subject: [PATCH] Use commit hashes instead of release tags in GitHub Actions
 workflow actions, as per OpenSSF Scorecard best practices
 (https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies).
 RELNOTES: n/a

PiperOrigin-RevId: 568295292
Change-Id: Ib3ead92f8ddd469141f54387b1ccb83d1929583a
---
 .github/workflows/draft-github-release.yml | 4 ++--
 .github/workflows/ossf_scorecard.yml       | 2 +-
 .github/workflows/publish-on-npm.yml       | 6 +++---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/draft-github-release.yml b/.github/workflows/draft-github-release.yml
index 1621d3153d..6e5ad12789 100644
--- a/.github/workflows/draft-github-release.yml
+++ b/.github/workflows/draft-github-release.yml
@@ -9,12 +9,12 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4.0.0
+      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           # We need to fetch the full repository in order to write complete
           # release notes.
           fetch-depth: 0
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
       - name: Run Release Draft Script
diff --git a/.github/workflows/ossf_scorecard.yml b/.github/workflows/ossf_scorecard.yml
index a4da43a246..e598ae0e94 100644
--- a/.github/workflows/ossf_scorecard.yml
+++ b/.github/workflows/ossf_scorecard.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@v4.0.0 # v3.1.0
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/publish-on-npm.yml b/.github/workflows/publish-on-npm.yml
index 4adc119ae4..a1c410b0d6 100644
--- a/.github/workflows/publish-on-npm.yml
+++ b/.github/workflows/publish-on-npm.yml
@@ -16,11 +16,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # This action checks out at the commit of the tagged release.
-      - uses: actions/checkout@v4.0.0
+      - uses: actions/3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       # Install all deps in preparation for creating a release.
       # Unlike publishing, this is done using the normal NPM registry
       # to download deps.
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
       # TODO: We should check in a lockfile and use npm ci here instead.
@@ -29,7 +29,7 @@ jobs:
       # Re-setup node using Wombat Dressing Room as the registry
       # The actual NodeJS binaries and such are cached, so doing this
       # twice isn't particularly expensive.
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
         with:
           node-version: current
           registry-url: https://wombat-dressing-room.appspot.com