Merge pull request #6595 from IntersectMBO/improve-gha

ci: improve github actions

Author: snarlysodboxer

.github/workflows/actionlint.yml

@@ -8,18 +8,21 @@ jobs:
   actionlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       # We want to install Nix to provision shellcheck, so that actionlint doesn't install
       # its own shellcheck. This will also make sure that this pipeline runs using
       # the same shellcheck as the ones in Nix shells of developers.
       - name: Install Nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@b97f05dcb019ddea06450a50ef6203d2fdc19fee # v31
         with:
           extra_nix_config: |
-            accept-flake-config = true
+            extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
+            extra-substituters = https://cache.iog.io/
       # Make the Nix environment available to next steps
-      - uses: rrbutani/use-nix-shell-action@v1
+      - uses: rrbutani/use-nix-shell-action@f97339023a09121113e5a58ad88fe0e9fde3406b # v1
 
       - name: actionlint
         run: |

.github/workflows/check-cabal-files.yml

@@ -10,12 +10,14 @@ jobs:
 
     steps:
     - name: Install Haskell
-      uses: input-output-hk/actions/haskell@latest
+      uses: input-output-hk/actions/haskell@dbb6ea6d50ffc37a2d481fd8047aff028bac3223 # latest
       id: setup-haskell
       with:
         cabal-version: "3.10.2.0"
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Cabal check
       run: ./scripts/ci/check-cabal-files.sh

.github/workflows/check-changelog.yml

@@ -14,10 +14,12 @@ jobs:
     name: Check for scriv fragment
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
 
       - name: Check for changes in cardano-testnet
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@6852f92c20ea7fd3b0c25de3b5112db3a98da050 # v3
         id: filter
         with:
           filters: |
@@ -26,22 +28,23 @@ jobs:
 
       - name: Check for changelog changes
         if: steps.filter.outputs.cardano == 'true'
-        uses: brettcannon/check-for-changed-files@v1
+        uses: brettcannon/check-for-changed-files@871d7b8b5917a4f6f06662e2262e8ffc51dff6d1 # v1
         with:
           file-pattern: "cardano-testnet/changelog.d/*.md"
           skip-label: "no-changelog-needed"
           failure-message: "You modified `cardano-testnet` but are missing a changelog fragment! Please run `scriv create` or apply the `no-changelog-needed` label."
 
       - name: Install Nix
         if: steps.filter.outputs.cardano == 'true'
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@b97f05dcb019ddea06450a50ef6203d2fdc19fee # v31
         with:
           extra_nix_config: |
-            accept-flake-config = true
+            extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
+            extra-substituters = https://cache.iog.io/
 
       - name: Check scriv fragments are correct
         if: steps.filter.outputs.cardano == 'true'
-        uses: rrbutani/use-nix-shell-action@v1
+        uses: rrbutani/use-nix-shell-action@f97339023a09121113e5a58ad88fe0e9fde3406b # v1
         with:
           script: cd cardano-testnet && scriv collect --version "CI-CHECK" --keep
 

.github/workflows/check-git-dependencies.yml

@@ -14,7 +14,9 @@ jobs:
 
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Check git dependencies
       run: |

.github/workflows/check-hlint.yml

@@ -14,12 +14,14 @@ jobs:
 
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: 'Set up HLint'
-      uses: rwe/actions-hlint-setup@v1
+      uses: rwe/actions-hlint-setup@9f5da5e7cd43663fb7b2e2154a087c17f0471ed1 # v1
       with:
         version: 3.8
 
     - name: 'Run HLint'
-      uses: rwe/actions-hlint-run@v2
+      uses: rwe/actions-hlint-run@c178fa6263930e604e377a21ef54403306bdc1c7 # v2

.github/workflows/check-mainnet-config.yml

@@ -15,19 +15,20 @@ jobs:
     steps:
 
     - name: Install Nix
-      uses: cachix/install-nix-action@v27
+      uses: cachix/install-nix-action@b97f05dcb019ddea06450a50ef6203d2fdc19fee # v31
       with:
         # Use last stable nixos channel and the same nix as in channel:
         nix_path: nixpkgs=channel:nixos-24.05
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
         extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
           experimental-features = nix-command flakes
           allow-import-from-derivation = true
-          substituters = https://cache.nixos.org https://cache.iog.io
-          trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          extra-substituters = https://cache.iog.io/
+          extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Refresh cardano-node mainnet configuration
       run: |

.github/workflows/github-page.yml

@@ -15,19 +15,20 @@ jobs:
 
     steps:
     - name: Install Nix
-      uses: cachix/install-nix-action@v18
+      uses: cachix/install-nix-action@b97f05dcb019ddea06450a50ef6203d2fdc19fee # v31
       with:
         # Use last stable nixos channel and the same nix as in channel:
         nix_path: nixpkgs=channel:nixos-24.05
         github_access_token: ${{ secrets.GITHUB_TOKEN }}
         extra_nix_config: |
-          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
           experimental-features = nix-command flakes
           allow-import-from-derivation = true
-          substituters = https://cache.nixos.org https://cache.iog.io
-          trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+          extra-substituters = https://cache.iog.io/
+          extra-trusted-public-keys = hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Fetch nix cache and update cabal indices
       run: |
@@ -49,7 +50,7 @@ jobs:
         tar -czf haddocks.tgz -C haddocks .
 
     - name: Upload haddocks artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       if: ${{ always() }}
       continue-on-error: true
       with:
@@ -58,7 +59,7 @@ jobs:
 
     - name: Deploy documentation to gh-pages 🚀
       if: github.ref == 'refs/heads/master'
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@e9c66a37f080288a11235e32cbe2dc5fb3a679cc # v4
       with:
         github_token: ${{ secrets.GITHUB_TOKEN || github.token }}
         publish_dir: haddocks

.github/workflows/haskell.yml

@@ -88,24 +88,26 @@ jobs:
         g+${{ (startsWith(github.ref, 'refs/heads/gh-readonly-queue/') && github.run_id) || github.event.pull_request.number || github.ref }}
 
     - name: Install Haskell
-      uses: input-output-hk/actions/haskell@latest
+      uses: input-output-hk/actions/haskell@dbb6ea6d50ffc37a2d481fd8047aff028bac3223 # latest
       id: setup-haskell
       with:
         ghc-version: ${{ matrix.ghc }}
         cabal-version: ${{ matrix.cabal }}
 
     - name: Install system dependencies
-      uses: input-output-hk/actions/base@latest
+      uses: input-output-hk/actions/base@dbb6ea6d50ffc37a2d481fd8047aff028bac3223 # latest
       with:
         use-sodium-vrf: true # default is true
 
     - name: Install gRPC system dependencies
-      uses: input-output-hk/cardano-dev/actions/grpc-deps@grpc-deps-0.0.1.0
+      uses: input-output-hk/cardano-dev/actions/grpc-deps@64bbe67966d5ee404a795803a2b56718baebffb4 # grpc-deps-0.0.1.0
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Cache and install Cabal dependencies
-      uses: input-output-hk/cardano-dev/actions/cabal-cache@cabal-cache-0.0.1.0
+      uses: input-output-hk/cardano-dev/actions/cabal-cache@e811e25d3927d62ba87f1762ea51c36e65f0b09a # cabal-cache-0.0.1.0
       with:
         cabal-store: ${{ steps.setup-haskell.outputs.cabal-store }}
         cache-version: ${{ env.CABAL_CACHE_VERSION }}
@@ -132,7 +134,7 @@ jobs:
 
     - name: Upload workspaces on tests failure
       if: ${{ failure() }}
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: failed-test-workspaces-${{ matrix.sys.os }}-ghc${{ matrix.ghc }}-cabal${{ matrix.cabal }}.tgz
         path: ${{ runner.temp }}/workspaces.tgz
@@ -161,7 +163,7 @@ jobs:
         fi
 
     - name: Save Artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       if: ${{ always() }}
       continue-on-error: true
       with:
@@ -206,7 +208,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
 
     - name: Create Release Tag
       id: create_release_tag
@@ -215,7 +219,7 @@ jobs:
 
     - name: Create Release
       id: create_release
-      uses: actions/create-release@v1
+      uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -225,12 +229,12 @@ jobs:
         prerelease: false
 
     - name: Download Artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
       with:
         name: artifacts-ubuntu-latest
 
     - name: Upload Release Asset
-      uses: actions/upload-release-asset@v1
+      uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:

.github/workflows/markdown-links-ci-check.yml

@@ -8,8 +8,10 @@ jobs:
   markdown-link-check:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: tcort/github-action-markdown-link-check@v1
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      with:
+        persist-credentials: false
+    - uses: tcort/github-action-markdown-link-check@e7c7a18363c842693fadde5d41a3bd3573a7a225 # v1
       with:
         use-quiet-mode: yes
         config-file: '.github/mlc_config.json'

.github/workflows/nightly-trigger.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
 
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
     - name: Tag
       run: |
@@ -24,7 +24,7 @@ jobs:
         git push origin nightly --force
 
     - name: Invoke workflow
-      uses: input-output-hk/workflow-dispatch@v1
+      uses: input-output-hk/workflow-dispatch@be1256a3797d8bbe96bdbdf65dbf9cc8dc48e9eb # v1
       with:
         workflow: .github/workflows/haskell.yml
         ref: nightly