chore(ci): pin GitHub Actions to commit SHAs (#1811) (#1870)

* chore(ci): pin GitHub Actions to commit SHAs (#1811) Follow-up to #1810. The Node-24 upgrade left every workflow on mutable tag refs (`actions/checkout@v5`, `actions/download-artifact@v7`, etc.) which superagent-security[bot] flagged on the ci.yml + publish.yml reviews. Pin all 18 external actions to the commit SHA they currently resolve to and add a trailing `# vMAJOR.MINOR.PATCH` comment so reviewers can see the version. Local reusable-workflow refs (`uses: ./.github/...`) are left alone — pinning those would defeat the point. Closes #1811 * chore(ci): address review — persist-credentials + setup-node consistency (#1811) Two pieces of follow-up feedback on the SHA-pinning PR: - @coderabbitai (P1 nitpicks) + @JSONbored: add 'persist-credentials: false' to checkout steps in jobs that don't perform authenticated git operations. Adds the line to 17 read-only checkouts across 9 workflows (chart-ci, ci, flutter-build, helm-publish, ios-testflight, llm-evals, preview-cleanup, preview-deploy, publish:build). Checkouts inside jobs that 'git push' (chart-release, mobile-build, mobile-release, helm-publish:second-checkout, publish:bump-pre_release) are intentionally left alone so they keep their token. - @jjmata: preview-deploy.yml was the only workflow on actions/setup-node v6.4.0; everywhere else pinned v5.0.0. Standardise on v5.0.0 to match. Dependabot config already has a github-actions ecosystem entry with a weekly schedule, so no addition needed for that point. * chore(ci): document intentional setup-node v6→5 normalization (#1811) @superagent-security flagged the v6.4.0 -> v5.0.0 change in preview-deploy.yml as a possible unintended downgrade. The downgrade was deliberate, per @jjmata's review request to normalize setup-node across all workflows. Add an inline YAML comment next to the line so future scans don't re-flag it. --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: jeffrey701 <jeffrey701@users.noreply.github.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
2026-06-01 08:49:01 +00:00 · 2026-05-30 14:35:19 -07:00
parent f7df709e6d
commit 956c27df6b
14 changed files with 104 additions and 72 deletions
--- a/.github/workflows/mobile-release.yml
+++ b/.github/workflows/mobile-release.yml
@@ -23,7 +23,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          fetch-depth: 0

@@ -112,13 +112,13 @@ jobs:
          echo "Extracted version: $VERSION"

      - name: Download Android APK artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: app-release-apk
          path: ${{ runner.temp }}/mobile-artifacts

      - name: Download iOS build artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: ios-build-unsigned
          path: ${{ runner.temp }}/ios-build
@@ -258,7 +258,7 @@ jobs:
          done

      - name: Checkout gh-pages branch
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
        with:
          ref: gh-pages
          path: gh-pages