feat(sec): harden GHA ref by using its SHA ID to prevent accidental usage of compromised actions (#38782)

Signed-off-by: hainenber <dotronghai96@gmail.com> (cherry picked from commit 83823911b5)
2026-05-07 17:04:58 +00:00 · 2026-03-21 21:27:30 +07:00
parent c26d2de616
commit 493f6c0aed
40 changed files with 133 additions and 133 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
    name: Bump version and publish package(s)
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          # pulls all commits (needed for lerna / semantic release to correctly version)
          fetch-depth: 0
@@ -42,13 +42,13 @@ jobs:

      - name: Install Node.js
        if: env.HAS_TAGS
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
        with:
          node-version-file: './superset-frontend/.nvmrc'

      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        with:
          path: ~/.npm # npm cache files are stored in `~/.npm` on Linux/macOS
          key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
@@ -62,7 +62,7 @@ jobs:
        run: echo "dir=$(npm config get cache)" >> $GITHUB_OUTPUT
      - name: Cache npm
        if: env.HAS_TAGS
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
        id: npm-cache # use this to check for `cache-hit` (`steps.npm-cache.outputs.cache-hit != 'true'`)
        with:
          path: ${{ steps.npm-cache-dir-path.outputs.dir }}