chore: update GitHub Actions workflows with version pinning and permission adjustments

2026-06-05 14:24:20 +00:00 · 2026-05-28 14:16:29 -05:00
parent bba8d33719
commit ae20819e22
5 changed files with 24 additions and 23 deletions
--- a/.github/workflows/build-and-push-docker.yml
+++ b/.github/workflows/build-and-push-docker.yml
@@ -25,16 +25,16 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          submodules: recursive

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0

      - name: Log in to the Container registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -42,7 +42,7 @@ jobs:

      - name: Extract metadata (tags, labels) for Docker
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
@@ -55,7 +55,7 @@ jobs:

      - name: Build and push Docker image
        id: push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@@ -66,7 +66,7 @@ jobs:

      - name: Generate artifact attestation
        if: github.event_name != 'pull_request'
-        uses: actions/attest-build-provenance@v2
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          subject-digest: ${{ steps.push.outputs.digest }}
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -12,18 +12,18 @@ jobs:
  build-and-test:
    name: Build & Test (${{ matrix.os }})
    runs-on: ${{ matrix.os }}
-    continue-on-error: true
+    continue-on-error: ${{ github.event_name != 'push' || !startsWith(github.ref, 'refs/tags/v') }}
    strategy:
      matrix:
        os: [ windows-2022, ubuntu-22.04, macos-15-intel ]

    steps:
-    - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2
+    - uses: actions/checkout@v4
      with:
        submodules: true
    - name: Add msbuild to PATH (Windows only)
      if: ${{ matrix.os == 'windows-2022' }}
-      uses: microsoft/setup-msbuild@767f00a3f09872d96a0cb9fcd5e6a4ff33311330
+      uses: microsoft/setup-msbuild@30375c66a4eea26614e0d39710365f22f8b0af57 # v3
      with:
        vs-version: '[17,18)'
        msbuild-architecture: x64
@@ -33,15 +33,15 @@ jobs:
        brew install openssl@3
        sudo xcode-select -s /Applications/Xcode_15.2.app/Contents/Developer
    - name: Get CMake 3.x
-      uses: lukka/get-cmake@28983e0d3955dba2bb0a6810caae0c6cf268ec0c
+      uses: lukka/get-cmake@591817e96fcad43505fb4eae36172462abb3a42e # v4.3.3
      with:
-        cmakeVersion: "~3.25.0"  # <--= optional, use most recent 3.25.x version
+        cmakeVersion: "~3.25.0"
    - name: cmake
-      uses: lukka/run-cmake@67c73a83a46f86c4e0b96b741ac37ff495478c38
+      uses: lukka/run-cmake@5d55ea7949e25f69f0ecb516d8d572297e03a956 # v10.9
      with:
        workflowPreset: "ci-${{matrix.os}}"
    - name: artifacts
-      uses: actions/upload-artifact@6027e3dd177782cd8ab9af838c04fd81a07f1d47
+      uses: actions/upload-artifact@v4
      with:
        name: build-${{matrix.os}}
        path: |
--- a/.github/workflows/canary.yml
+++ b/.github/workflows/canary.yml
@@ -17,7 +17,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          ref: ${{ github.event.workflow_run.head_sha }}
@@ -29,7 +29,7 @@ jobs:
          echo "tag=$tag" >> "$GITHUB_OUTPUT"

      - name: Generate changelog since last release tag
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5 # v4.8.0
        id: cliff
        with:
          config: cliff.toml
@@ -51,7 +51,7 @@ jobs:
          printf "%b" "$header" | cat - CHANGES.md > CHANGES.tmp && mv CHANGES.tmp CHANGES.md

      - name: Download artifacts from CI run
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
        with:
          run_id: ${{ github.event.workflow_run.id }}
          path: artifacts/
@@ -78,7 +78,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Create canary pre-release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
        with:
          tag: canary
          name: "Canary ${{ steps.last_tag.outputs.tag }}+${{ github.event.workflow_run.head_sha }}"
--- a/.github/workflows/pr-title-check.yml
+++ b/.github/workflows/pr-title-check.yml
@@ -5,7 +5,7 @@ on:
    types: [opened, edited, synchronize, reopened]

 permissions:
-  pull-requests: read
+  pull-requests: write

 jobs:
  check-title:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,20 +12,21 @@ permissions:
 jobs:
  release:
    name: Create Release
-    # Only run when CI completed successfully on a version tag
+    # Only run when CI completed successfully on a tag push (not a PR branch named like a version)
    if: |
      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'push' &&
      startsWith(github.event.workflow_run.head_branch, 'v')
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          fetch-depth: 0
          ref: ${{ github.event.workflow_run.head_sha }}

      - name: Generate changelog
-        uses: orhun/git-cliff-action@v4
+        uses: orhun/git-cliff-action@f50e11560dce63f7c33227798f90b924471a88b5 # v4.8.0
        id: cliff
        with:
          config: cliff.toml
@@ -35,7 +36,7 @@ jobs:
          GITHUB_REPO: ${{ github.repository }}

      - name: Download artifacts from CI run
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@b6e2e70617bc3265edd6dab6c906732b2f1ae151 # v21
        with:
          run_id: ${{ github.event.workflow_run.id }}
          path: artifacts/
@@ -57,7 +58,7 @@ jobs:
          ls -lh *.zip

      - name: Create GitHub Release
-        uses: ncipollo/release-action@v1
+        uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
        with:
          tag: ${{ github.event.workflow_run.head_branch }}
          name: ${{ github.event.workflow_run.head_branch }}