Pin SHA values as version numbers for 3rd party GHAs (#29485)

(cherry picked from commit 80b6e5b)
WordPress · Jul 2, 2021 · 5456048 · 5456048
1 parent 47f9af7
commit 5456048
Show file tree

Hide file tree

Showing 13 changed files with 49 additions and 49 deletions.
diff --git a/.github/workflows/build-plugin-zip.yml b/.github/workflows/build-plugin-zip.yml
@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
       - name: Cache node modules
-        uses: actions/cache@v2
+        uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
         env:
           cache-name: cache-node-modules
         with:
@@ -33,7 +33,7 @@ jobs:
             ${{ runner.os }}-
 
       - name: Use Node.js 14.x
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
         with:
           node-version: 14.x
 
@@ -43,7 +43,7 @@ jobs:
           NO_CHECKS: 'true'
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2.2.2
         with:
           name: gutenberg-plugin
           path: ./gutenberg.zip
@@ -59,7 +59,7 @@ jobs:
         run: echo ::set-output name=version::$(echo $GITHUB_REF | cut -d / -f 3 | sed s/^v// | sed 's/-rc./ RC/' )
 
       - name: Download Plugin Zip Artifact
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@4a7a711286f30c025902c28b541c10e147a9b843 # v2.0.8
         with:
           name: gutenberg-plugin
 
@@ -71,7 +71,7 @@ jobs:
 
       - name: Create Release Draft
         id: create_release
-        uses: actions/create-release@v1
+        uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -83,7 +83,7 @@ jobs:
 
       - name: Upload Release Asset
         id: upload-release-asset
-        uses: actions/[email protected].1
+        uses: actions/upload-release-asset@e8f9f06c4b078e705bd2ea027f0926603fc9b4d5 # v1.0.2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

diff --git a/.github/workflows/bundle-size.yml b/.github/workflows/bundle-size.yml
@@ -8,11 +8,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       with:
         fetch-depth: 1
 
-    - uses: preactjs/compressed-size-action@v2
+    - uses: preactjs/compressed-size-action@7d87f60a6b0c7d193b8183ce859ed00b356ea92f # v2.1.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
         pattern: "{build/**/*.js,build/**/*.css}"
diff --git a/.github/workflows/cancel.yml b/.github/workflows/cancel.yml
@@ -9,7 +9,7 @@ jobs:
       - name: Get all workflow ids and set to env variable
         run: echo "WORKFLOW_IDS_TO_CANCEL=$(curl https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows -s | jq -r '.workflows | map(.id|tostring) | join(",")')" >> $GITHUB_ENV
 
-      - uses: styfle/cancel-workflow-action@0.4.0
+      - uses: styfle/cancel-workflow-action@3d86a7cc43670094ac248017207be0295edbc31d # v0.8.0
         with:
           workflow_id: ${{ env.WORKFLOW_IDS_TO_CANCEL }}
           access_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/create-block.yml b/.github/workflows/create-block.yml
@@ -23,10 +23,10 @@ jobs:
         node: [12, 14]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -39,7 +39,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js ${{ matrix.node }}.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: ${{ matrix.node }}
 

diff --git a/.github/workflows/end2end-test.yml b/.github/workflows/end2end-test.yml
@@ -24,10 +24,10 @@ jobs:
 
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -40,7 +40,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js 14.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: 14.x
 
@@ -60,7 +60,7 @@ jobs:
         $( npm bin )/wp-scripts test-e2e --config=./packages/e2e-tests/jest.config.js --cacheDirectory="$HOME/.jest-cache" --runTestsByPath $( awk 'NR % 4 == ${{ matrix.part }} - 1' < ~/.jest-e2e-tests )
 
     - name: Archive debug artifacts (screenshots, HTML snapshots)
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2.2.2
       if: always()
       with:
         name: failures-artifacts

diff --git a/.github/workflows/performance.yml b/.github/workflows/performance.yml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -30,7 +30,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js 14.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: 14.x
 
@@ -56,5 +56,5 @@ jobs:
         IFS='.' read -r -a WP_VERSION_ARRAY <<< "$WP_VERSION"
         WP_BRANCH="wp/${WP_VERSION_ARRAY[0]}.${WP_VERSION_ARRAY[1]}"
         ./bin/plugin/cli.js perf --ci $WP_BRANCH $PREVIOUS_RELEASE_BRANCH $CURRENT_RELEASE_BRANCH
-      
+
 
diff --git a/.github/workflows/pull-request-automation.yml b/.github/workflows/pull-request-automation.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
     # Checkout defaults to using the branch which triggered the event, which
     # isn't necessarily `trunk` (e.g. in the case of a merge).
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       with:
         ref: trunk
 

diff --git a/.github/workflows/rnmobile-android-runner.yml b/.github/workflows/rnmobile-android-runner.yml
@@ -20,10 +20,10 @@ jobs:
 
     steps:
     - name: checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Restore npm cache
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       with:
         path: ~/.npm
         key: ${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}
@@ -33,19 +33,19 @@ jobs:
     - run: npm ci
 
     - name: Restore Gradle cache
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       with:
         path: ~/.gradle/caches
         key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
         restore-keys: ${{ runner.os }}-gradle
 
-    - uses: reactivecircus/android-emulator-runner@v2
+    - uses: reactivecircus/android-emulator-runner@08b092e904025fada32a01b711af1e7ff7b7a4a3 # v2.14.3
       with:
         api-level: 28
         profile: pixel_xl
         script: npm run native test:e2e:android:local ${{ matrix.native-test-name }}
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2.2.2
       if: always()
       with:
         name: android-screen-recordings

diff --git a/.github/workflows/rnmobile-ios-runner.yml b/.github/workflows/rnmobile-ios-runner.yml
@@ -19,10 +19,10 @@ jobs:
         ]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Restore npm cache
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       with:
         path: ~/.npm
         key: ${{ runner.os }}-npm-${{ hashFiles('package-lock.json') }}
@@ -35,13 +35,13 @@ jobs:
       run: find package-lock.json packages/react-native-editor/ios packages/react-native-aztec/ios packages/react-native-bridge/ios -type f -print0 | sort -z | xargs -0 shasum | tee ios-checksums.txt
 
     - name: Restore build cache
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       with:
         path: packages/react-native-editor/ios/build/GutenbergDemo/Build/Products/Release-iphonesimulator/GutenbergDemo.app
         key: ${{ runner.os }}-ios-build-${{ hashFiles('ios-checksums.txt') }}
 
     - name: Restore pods cache
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       with:
         path: |
           packages/react-native-editor/ios/Pods
@@ -70,7 +70,7 @@ jobs:
     - name: Prepare build cache
       run: rm packages/react-native-editor/ios/build/GutenbergDemo/Build/Products/Release-iphonesimulator/GutenbergDemo.app/main.jsbundle
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@e448a9b857ee2131e752b06002bf0e093c65e571 # v2.2.2
       if: always()
       with:
         name: ios-screen-recordings

diff --git a/.github/workflows/stale-issue-needs-info.yml b/.github/workflows/stale-issue-needs-info.yml
@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@v3
+    - uses: actions/stale@996798eb71ef485dc4c7b4d3285842d714040c4a # v3.0.17
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'Help us move this issue forward. Since it has no activity after 15 days of requesting more information, a bot is marking the issue as stale. Please add additional information as a comment or this issued will be closed in 5 days.'

diff --git a/.github/workflows/static-checks.yml b/.github/workflows/static-checks.yml
@@ -14,10 +14,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -30,7 +30,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js 14.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: 14.x
 

diff --git a/.github/workflows/storybook-pages.yml b/.github/workflows/storybook-pages.yml
@@ -10,12 +10,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
       with:
         ref: trunk
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -28,7 +28,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Setup Node
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: '14.x'
 
@@ -39,7 +39,7 @@ jobs:
       run: npm run storybook:build
 
     - name: Deploy
-      uses: peaceiris/actions-gh-pages@v3
+      uses: peaceiris/actions-gh-pages@bbdfb200618d235585ad98e965f4aafc39b4c501 # v3.7.3
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./storybook/build
diff --git a/.github/workflows/unit-test.yml b/.github/workflows/unit-test.yml
@@ -19,10 +19,10 @@ jobs:
         node: [12, 14]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -35,7 +35,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js ${{ matrix.node }}.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: ${{ matrix.node }}
 
@@ -59,10 +59,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -75,7 +75,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js 14.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: 14.x
 
@@ -107,10 +107,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4
 
     - name: Cache node modules
-      uses: actions/cache@v2
+      uses: actions/cache@26968a09c0ea4f3e233fdddbafd1166051a095f6 # v2.1.4
       env:
         cache-name: cache-node-modules
       with:
@@ -123,7 +123,7 @@ jobs:
           ${{ runner.os }}-
 
     - name: Use Node.js 14.x
-      uses: actions/setup-node@v1
+      uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5
       with:
         node-version: 14.x