ci: Pin external actions to Git SHAs

kaylendog · kaylendog · commit fac47f55faad · 2026-03-09T12:21:18.000Z
diff --git a/.github/workflows/single_sdk_tests.yml b/.github/workflows/single_sdk_tests.yml
@@ -32,7 +32,7 @@ jobs:
       # At this stage we don't know which repo we have just checked out. We will reference this repo
       # if the workflow uses '.'
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Resolve branches
         shell: bash
         # these env vars will be modified and used in subsequent steps
@@ -104,18 +104,18 @@ jobs:
           docker pull mitmproxy/mitmproxy:10.1.5
           docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest
       - name: Setup | Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.25"
       - name: "Install Complement Dependencies"
         shell: bash
         run: |
-          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
+          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0
 
       # JS SDK only steps
       - name: Setup | Node.js LTS
         if: ${{ inputs.use_js_sdk != '' }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "lts/*"
       - name: "Install JS SDK"
@@ -128,7 +128,7 @@ jobs:
       # which we then pass to rebuild_rust_sdk.sh
       - name: Setup | Rust
         if: ${{ inputs.use_rust_sdk != '' }}
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable v1.93.1
         with:
           toolchain: stable
       - name: "Download Rust SDK" # no need to download rust SDK if we are using the local checkout.
@@ -182,7 +182,7 @@ jobs:
           RUST_SDK_LIB_RELATIVE: ${{ inputs.use_rust_sdk == '.' &&  '/target/debug' || '/complement-crypto/rust-sdk/target/debug'}}
 
       - name: Upload logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ failure() }}
         with:
           name: Logs - ${{ inputs.use_js_sdk != '' && 'jssdk' || 'rust'}}
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -2,7 +2,7 @@ name: Tests
 
 on:
   push:
-    branches: [ 'main' ]
+    branches: ["main"]
   pull_request:
   workflow_dispatch:
 
@@ -15,35 +15,35 @@ jobs:
     name: Tests (JS only, latest)
     uses: ./.github/workflows/single_sdk_tests.yml
     with:
-      use_js_sdk: 'MATCHING_BRANCH'
-      use_complement_crypto: '.'
+      use_js_sdk: "MATCHING_BRANCH"
+      use_complement_crypto: "."
 
   rust-latest-main:
     name: Tests (Rust only, latest)
     uses: ./.github/workflows/single_sdk_tests.yml
     with:
-      use_rust_sdk: 'MATCHING_BRANCH'
-      use_complement_crypto: '.'
+      use_rust_sdk: "MATCHING_BRANCH"
+      use_complement_crypto: "."
 
   complement:
     name: Tests
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3 # Checkout crypto tests
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       # Install Node, Go and Rust, along with gotestfmt
       - name: Setup | Node.js LTS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "lts/*"
-          cache: 'yarn'
+          cache: "yarn"
           cache-dependency-path: "internal/api/js/js-sdk/yarn.lock"
       - name: Setup | Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: '1.21'
+          go-version: "1.21"
       - name: Setup | Rust
-        uses: dtolnay/rust-toolchain@stable
+        uses: dtolnay/rust-toolchain@631a55b12751854ce901bb631d5902ceb48146f7 # stable v1.93.1
         with:
           toolchain: stable
       - name: Checkout matrix-rust-sdk
@@ -53,12 +53,12 @@ jobs:
           wget -O archive.tar.gz "https://github.com/matrix-org/matrix-rust-sdk/archive/$BRANCH.tar.gz"
           zcat < archive.tar.gz | git get-tar-commit-id # useful for debugging
           tar -xz --strip-components=1 -C rust-sdk < archive.tar.gz
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
         with:
           workspaces: "rust-sdk"
       - name: "Install Complement Dependencies"
         run: |
-          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
+          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0
 
       # Install whatever version of the JS SDK is in package.json
       - name: Build JS SDK
@@ -161,10 +161,10 @@ jobs:
           DOCKER_BUILDKIT: 1
 
       - name: Upload logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ always() }} # do this even if the tests fail
         with:
           name: Logs - ${{ job.status }}
           path: |
-              ./**/logs/*
-              ./**/mitm.dump
+            ./**/logs/*
+            ./**/mitm.dump
