Merge pull request #2 from davidalmeidac/chore/ci-pin-action-shas

chore(ci): pin GitHub Actions to commit SHAs + add lint script

Author: davidalmeidac

.github/dependabot.yml

@@ -0,0 +1,12 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      actions:
+        patterns:
+          - "*"
+    commit-message:
+      prefix: "chore(ci)"

.github/workflows/java-ci.yml

@@ -33,17 +33,17 @@ jobs:
         java: ["17", "21"]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up JDK ${{ matrix.java }}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: ${{ matrix.java }}
           cache: maven
 
       - name: Set up Node 22 (for cross-stack vectors)
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
 
@@ -66,7 +66,7 @@ jobs:
 
       - name: Upload surefire reports on failure
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: surefire-${{ matrix.os }}-jdk${{ matrix.java }}
           path: java/**/target/surefire-reports/

.github/workflows/java-release.yml

@@ -20,10 +20,10 @@ jobs:
     environment: maven-central
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Set up JDK 21
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
         with:
           distribution: temurin
           java-version: "21"
@@ -35,7 +35,7 @@ jobs:
           gpg-passphrase: MAVEN_GPG_PASSPHRASE
 
       - name: Set up Node 22 (for cross-stack vectors)
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
 
@@ -63,7 +63,7 @@ jobs:
         run: mvn -B -ntp -Prelease deploy -DskipTests
 
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2.6.2
         with:
           generate_release_notes: true
           name: "Java ${{ github.ref_name }}"

.github/workflows/node-ci.yml

@@ -35,9 +35,13 @@ jobs:
         os: [ubuntu-latest, windows-latest, macos-latest]
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/setup-node@v4
+      - name: Lint workflow pinning
+        working-directory: ${{ github.workspace }}
+        run: node node/scripts/lint-workflows.mjs
+
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: ${{ matrix.node }}
           cache: npm

.github/workflows/node-release.yml

@@ -29,9 +29,9 @@ jobs:
     environment: npm-publish
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
           cache: npm

.github/workflows/pages.yml

@@ -26,16 +26,16 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Configure Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0
 
       - name: Upload site artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: site
 
       - name: Deploy
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

node/scripts/lint-workflows.mjs

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+/**
+ * Lint .github/workflows/*.yml — every `uses:` line MUST pin to a
+ * 40-char commit SHA, with an optional trailing comment.
+ *
+ * Exit codes:
+ *   0  all uses: lines pinned (or no non-local uses: lines found)
+ *   1  one or more lines fail the pin regex (prints file:line:offender to stderr)
+ *   2  unexpected error (e.g. workflows dir missing)
+ *
+ * Environment:
+ *   LINT_WORKFLOWS_DIR  override the directory to lint (default: .github/workflows)
+ *                       useful for unit tests pointing at fixture dirs
+ */
+
+import { readFileSync, readdirSync } from 'node:fs';
+import { join, resolve } from 'node:path';
+
+const WORKFLOWS_DIR = process.env.LINT_WORKFLOWS_DIR ?? '.github/workflows';
+
+// Matches a ref ending with @<40-hex-chars> — tested against the extracted
+// ref value after stripping quotes, not the raw line.
+const PIN_RE = /@[a-f0-9]{40}$/;
+
+// Matches a uses: line (list-item form or map-value form, quoted or unquoted).
+// Group 1: optional open quote, Group 2: the reference value, Group 3: trailing comment
+const USES_RE = /^\s*-?\s*uses:\s*(['"]?)([^'";\s#]+)\1(\s*#.*)?$/;
+
+let failed = 0;
+
+try {
+  const dir = resolve(WORKFLOWS_DIR);
+  const files = readdirSync(dir).filter(
+    (f) => f.endsWith('.yml') || f.endsWith('.yaml'),
+  );
+
+  for (const f of files) {
+    const filePath = join(dir, f);
+    const lines = readFileSync(filePath, 'utf8').split(/\r?\n/);
+
+    lines.forEach((line, idx) => {
+      const m = line.match(USES_RE);
+      if (!m) return;
+
+      const ref = m[2];
+      // Local actions (./.github/actions/...) and docker images are not
+      // pinnable by commit SHA — skip them.
+      if (ref.startsWith('./') || ref.startsWith('docker://')) return;
+
+      // Test the extracted ref value (not the raw line) to handle quoted forms
+      // like uses: 'org/repo@<sha>' where a closing quote follows the SHA.
+      if (!PIN_RE.test(ref)) {
+        process.stderr.write(
+          `${filePath}:${idx + 1}: not pinned to 40-char SHA: ${line.trim()}\n`,
+        );
+        failed++;
+      }
+    });
+  }
+} catch (err) {
+  process.stderr.write(`lint-workflows: ${err.message}\n`);
+  process.exit(2);
+}
+
+process.exit(failed > 0 ? 1 : 0);

node/tests/scripts/fixtures/bad-pin.yml

@@ -0,0 +1,9 @@
+name: Bad Pin Fixture
+
+on: [push]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4

node/tests/scripts/fixtures/good-pin.yml

@@ -0,0 +1,10 @@
+name: Good Pin Fixture
+
+on: [push]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1234567890abcdef1234567890abcdef12345678 # v4.1.7
+      - uses: actions/setup-node@1234567890abcdef1234567890abcdef12345678 # v4.0.0

node/tests/scripts/fixtures/local-action.yml

@@ -0,0 +1,9 @@
+name: Local Action Fixture
+
+on: [push]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ./.github/actions/my-local-action