ci: pin GitHub Actions to commit SHAs for supply chain security

rohankmr414 · claude · rohankmr414 · commit f9f2fdf47248 · 2026-03-24T13:17:34.000+05:30
Replace mutable tag references with immutable commit SHAs across
workflow files. Original tags are preserved as inline comments.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -16,8 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: ./go.mod
       - name: Install dependencies
@@ -29,7 +29,7 @@ jobs:
       - name: Vet
         run: go vet ./...
       - name: Lint
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8
         with:
           version: latest
           only-new-issues: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -14,8 +14,8 @@ jobs:
     needs: [tests]
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: ./go.mod
       - name: build the CLI
@@ -25,13 +25,13 @@ jobs:
           .github/scripts/plugin-manifest.sh
           mv _output/* release
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           path: release/manifest.yaml
           if-no-files-found: error
           name: plugin-manifest
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           path: release/hasura-ndc-go-*
           if-no-files-found: error
@@ -44,9 +44,9 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ startsWith(github.ref, 'refs/tags/v') }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
 
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:
           path: release/artifacts
           merge-multiple: true
@@ -63,7 +63,7 @@ jobs:
           ${ROOT}/release/artifacts/hasura-ndc-go-linux-amd64 new -n ndc_go -m hasura-ndc.dev/ndc-go -o /tmp/release/connector-definition
           tar -czvf "${ROOT}/release/artifacts/connector-definition.tgz" --directory "/tmp/release/connector-definition/" .
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: connector-definition.tgz
           path: ./release/artifacts/connector-definition.tgz
@@ -76,7 +76,7 @@ jobs:
         shell: bash
 
       - name: create a draft release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1
         with:
           draft: true
           tag: v${{ steps.get-version.outputs.tagged_version }}
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -21,8 +21,8 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: ./go.mod
       - name: Install dependencies
@@ -61,7 +61,7 @@ jobs:
           go install github.com/boumenot/gocover-cobertura
           gocover-cobertura < ./coverage/profile > coverage.xml
       - name: Code Coverage Summary Report
-        uses: irongut/CodeCoverageSummary@v1.3.0
+        uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95 # v1.3.0
         if: ${{ github.event_name == 'pull_request' }}
         with:
           filename: coverage.xml
@@ -74,10 +74,10 @@ jobs:
           output: both
           thresholds: "40 70"
       - name: Add Coverage PR Comment
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         if: ${{ github.event_name == 'pull_request' }}
         with:
           path: code-coverage-results.md
       - name: Dump docker logs on failure
         if: failure()
-        uses: jwalton/gh-docker-logs@v2
+        uses: jwalton/gh-docker-logs@eb53a99ccbbb34d4243439c2c3dac3ed78a926ed # v2
