From a478947bf188cd05f4a6a163545cf9a4d505c27e Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Tue, 14 Nov 2023 18:21:14 +0000
Subject: [PATCH 1/2] ci(github-actions): hashpin actions with dangerous
 permissions

This includes actions with write permisisons but also actions that have
access to critical secrets, such as the `secrets.ADMIN_GITHUB_TOKEN`

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/auto_author_assign.yml | 2 +-
 .github/workflows/binder.yml             | 2 +-
 .github/workflows/enforce-label.yml      | 2 +-
 .github/workflows/lock.yml               | 2 +-
 .github/workflows/playwright-update.yml  | 8 ++++----
 .github/workflows/prep-release.yml       | 4 ++--
 .github/workflows/publish-release.yml    | 6 +++---
 7 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/auto_author_assign.yml b/.github/workflows/auto_author_assign.yml
index 1702af161c..449df1737d 100644
--- a/.github/workflows/auto_author_assign.yml
+++ b/.github/workflows/auto_author_assign.yml
@@ -14,4 +14,4 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: toshimaru/auto-author-assign@v2.0.1
+      - uses: toshimaru/auto-author-assign@c1ffd6f64e20f8f5f61f4620a1e5f0b0908790ef # v2.0.1
diff --git a/.github/workflows/binder.yml b/.github/workflows/binder.yml
index 1ff492bb00..7ab065ba5d 100644
--- a/.github/workflows/binder.yml
+++ b/.github/workflows/binder.yml
@@ -12,7 +12,7 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: jupyterlab/maintainer-tools/.github/actions/binder-link@v1
+      - uses: jupyterlab/maintainer-tools/.github/actions/binder-link@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
         with:
           github_token: ${{ secrets.github_token }}
           url_path: tree
diff --git a/.github/workflows/enforce-label.yml b/.github/workflows/enforce-label.yml
index 2217a7b765..74bafc0367 100644
--- a/.github/workflows/enforce-label.yml
+++ b/.github/workflows/enforce-label.yml
@@ -13,4 +13,4 @@ jobs:
       pull-requests: write
     steps:
       - name: enforce-triage-label
-        uses: jupyterlab/maintainer-tools/.github/actions/enforce-label@v1
+        uses: jupyterlab/maintainer-tools/.github/actions/enforce-label@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 9f2e762c71..0be325183a 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -14,7 +14,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: dessant/lock-threads@v4
+      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1
         with:
           github-token: ${{ github.token }}
           issue-lock-inactive-days: '180'
diff --git a/.github/workflows/playwright-update.yml b/.github/workflows/playwright-update.yml
index feaa90e0c8..ee9202f96c 100644
--- a/.github/workflows/playwright-update.yml
+++ b/.github/workflows/playwright-update.yml
@@ -22,7 +22,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: React to the triggering comment
         run: |
@@ -40,12 +40,12 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Base Setup
-        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
 
       - name: Build
         uses: ./.github/actions/build-dist
 
-      - uses: actions/download-artifact@v3
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: notebook-dist-${{ github.run_number }}
           path: ./dist
@@ -65,7 +65,7 @@ jobs:
           jlpm playwright install
 
       - name: Update snapshots
-        uses: jupyterlab/maintainer-tools/.github/actions/update-snapshots@v1
+        uses: jupyterlab/maintainer-tools/.github/actions/update-snapshots@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           npm_client: jlpm
diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml
index 723b6d2ce1..699c1654d8 100644
--- a/.github/workflows/prep-release.yml
+++ b/.github/workflows/prep-release.yml
@@ -25,11 +25,11 @@ jobs:
   prep_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
 
       - name: Prep Release
         id: prep-release
-        uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@035118abd7c9d96213f84a3db281cb2273758f00 # v2
         with:
           token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
           version_spec: ${{ github.event.inputs.version_spec }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 38b1e4833e..38e1ff5cca 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -19,11 +19,11 @@ jobs:
   publish_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+      - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@4b05d5f62ffa18bed92d556309c86a95554401b9 # v1
 
       - name: Populate Release
         id: populate-release
-        uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2
+        uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@035118abd7c9d96213f84a3db281cb2273758f00 # v2
         with:
           token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
           target: ${{ github.event.inputs.target }}
@@ -38,7 +38,7 @@ jobs:
           PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }}
           TWINE_USERNAME: __token__
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2
+        uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@035118abd7c9d96213f84a3db281cb2273758f00 # v2
         with:
           token: ${{ secrets.ADMIN_GITHUB_TOKEN }}
           target: ${{ github.event.inputs.target }}

From f1113e7d25b873203796bf0840601cf7c54db2b6 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles@google.com>
Date: Fri, 15 Dec 2023 15:05:08 +0000
Subject: [PATCH 2/2] ci: hash-pin version updated after previous change

Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com>
---
 .github/workflows/lock.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lock.yml b/.github/workflows/lock.yml
index 0be325183a..e7f62c8405 100644
--- a/.github/workflows/lock.yml
+++ b/.github/workflows/lock.yml
@@ -14,7 +14,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: dessant/lock-threads@be8aa5be94131386884a6da4189effda9b14aa21 # v4.0.1
+      - uses: dessant/lock-threads@1bf7ec25051fe7c00bdd17e6a7cf3d7bfb7dc771 # v5.0.1
         with:
           github-token: ${{ github.token }}
           issue-lock-inactive-days: '180'