From bdea21923622a7828dc1a4a0eda57abc7b51d3c6 Mon Sep 17 00:00:00 2001
From: Matt Borgerson <contact@mborgerson.com>
Date: Thu, 27 Mar 2025 15:53:38 -0700
Subject: [PATCH] ci: Pin actions to commit hash

---
 .../workflows/build-xemu-win64-toolchain.yml  | 10 ++---
 .github/workflows/build.yml                   | 42 +++++++++----------
 2 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/build-xemu-win64-toolchain.yml b/.github/workflows/build-xemu-win64-toolchain.yml
index deefd9c070..972382d5d7 100644
--- a/.github/workflows/build-xemu-win64-toolchain.yml
+++ b/.github/workflows/build-xemu-win64-toolchain.yml
@@ -21,10 +21,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Clone tree
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       - name: Extract image metadata (tags, labels)
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           labels: |
@@ -35,16 +35,16 @@ jobs:
             type=ref,event=branch
             type=sha
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3
         if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5
         with:
           context: ubuntu-win64-cross
           push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0ef3537790..79876dd479 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Clone tree
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
       with:
         fetch-depth: 0
     - name: Install dependencies
@@ -50,7 +50,7 @@ jobs:
         ./scripts/archive-source.sh src.tar
         gzip -1 src.tar
     - name: Upload source package artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: src.tar.gz
         path: src.tar.gz
@@ -83,14 +83,14 @@ jobs:
 
     steps:
     - name: Download source package
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: src.tar.gz
     - name: Extract source package
       run: tar xf src.tar.gz
     - name: Initialize compiler cache
       id: cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: /tmp/xemu-ccache
         key: cache-wincross-${{ runner.os }}-${{ matrix.arch }}-${{ matrix.configuration }}-${{ github.sha }}
@@ -111,7 +111,7 @@ jobs:
           $DOCKER_IMAGE_NAME \
             bash -c "ccache -z; ./build.sh -p win64-cross ${{ matrix.build_param }} && ccache -s"
     - name: Upload build artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: ${{ matrix.artifact_name }}
         path: dist
@@ -140,7 +140,7 @@ jobs:
           arch: aarch64
     steps:
     - name: Download artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: ${{ matrix.artifact_name }}
         path: ${{ matrix.artifact_name }}
@@ -157,7 +157,7 @@ jobs:
         7z a -tzip ../dist/${{ matrix.artifact_name }}.zip * "-xr!*.pdb"
         7z a -tzip ../dist/${{ matrix.artifact_name }}-pdb.zip "-ir!*.pdb"
     - name: Upload build artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: ${{ matrix.artifact_name }}-pdb
         path: dist
@@ -196,13 +196,13 @@ jobs:
     steps:
     - name: Initialize compiler cache
       id: cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: /tmp/xemu-ccache
         key: cache-${{ runner.os }}-${{ matrix.arch }}-${{ matrix.configuration }}-${{ github.sha }}
         restore-keys: cache-${{ runner.os }}-${{ matrix.arch }}-${{ matrix.configuration }}-
     - name: Download source package
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: src.tar.gz
     - name: Extract source package
@@ -266,7 +266,7 @@ jobs:
       run: |
         tar -czvf ${{ matrix.artifact_filename }} --transform "s#^dist#xemu#" dist
     - name: Upload build artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: ${{ matrix.artifact_name }}
         path: ${{ matrix.artifact_filename }}
@@ -300,7 +300,7 @@ jobs:
           artifact_filename: xemu-macos-arm64-release.zip
     steps:
     - name: Download source package
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: src.tar.gz
     - name: Extract source package
@@ -319,7 +319,7 @@ jobs:
         pip install pyyaml requests
     - name: Initialize compiler, library cache
       id: cache
-      uses: actions/cache@v4
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
       with:
         path: |
           xemu-ccache
@@ -339,7 +339,7 @@ jobs:
         zip -r ../${{ matrix.artifact_filename }} *
         popd
     - name: Upload build artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: ${{ matrix.artifact_name }}
         path: ${{ matrix.artifact_filename }}
@@ -353,12 +353,12 @@ jobs:
         configuration: ["debug", "release"]
     steps:
     - name: Download x86_64 build
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: xemu-macos-x86_64-${{ matrix.configuration }}
         path: xemu-macos-x86_64-${{ matrix.configuration }}
     - name: Download arm64 build
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: xemu-macos-arm64-${{ matrix.configuration }}
         path: xemu-macos-arm64-${{ matrix.configuration }}
@@ -382,7 +382,7 @@ jobs:
         zip -r ../xemu-macos-universal-${{ matrix.configuration }}.zip *
         popd
     - name: Upload build artifact
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
       with:
         name: xemu-macos-universal-${{ matrix.configuration }}
         path: xemu-macos-universal-${{ matrix.configuration }}.zip
@@ -393,7 +393,7 @@ jobs:
     needs: [Ubuntu, macOSUniversal, Windows, WindowsPdb]
     steps:
     - name: Download artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         path: dist
     - name: Extract source package
@@ -415,7 +415,7 @@ jobs:
       run: |
         cp dist/xemu-win-x86_64-release-pdb/xemu-win-x86_64-release.zip dist/xemu-win-x86_64-release-pdb/xemu-win-release.zip
     - name: Publish release
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
       with:
         tag_name: v${{ env.XEMU_VERSION }}
         name: v${{ env.XEMU_VERSION }}
@@ -439,7 +439,7 @@ jobs:
           dist/xemu-ubuntu-aarch64-debug/xemu/xemu-v${{ env.XEMU_VERSION }}-dbg-aarch64.AppImage
           dist/xemu-ubuntu-aarch64-release/xemu/xemu-v${{ env.XEMU_VERSION }}-aarch64.AppImage
     - name: Trigger website update
-      uses: benc-uk/workflow-dispatch@v1.2.2
+      uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2
       with:
         workflow: build.yml
         repo: xemu-project/xemu-website
@@ -457,7 +457,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Download source package
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4
       with:
         name: src.tar.gz
     - name: Extract source package
@@ -476,7 +476,7 @@ jobs:
          -- Matt Borgerson <contact@mborgerson.com>  $(date -R)" > debian/changelog
         popd
     - name: Deploy source archive to branch
-      uses: peaceiris/actions-gh-pages@v3
+      uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./src