ci: pin some workflows to SHAs

to let Dependabot keep track of them using SHAs

codeql-actions doesn't point to SHAs because it isn't clear
whether Dependabot supports their release cycle mentioned
at https://github.com/github/codeql-action/issues/307

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index ae03f591b3f3a531f21476d34f8d48aa2a223647..5f2959871b2cfe06b984ff6129ce0a58e08beecf 100644 (file)
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -30,6 +30,6 @@ jobs:
     env: ${{ matrix.env }}
     steps:
       - name: Repository checkout
-        uses: actions/checkout@v1
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
       - name: Build check (${{ env.COMPILER }}-${{ env.COMPILER_VERSION }})
         run: sudo -E .github/workflows/build_test.sh

diff --git a/.github/workflows/cifuzz.yml b/.github/workflows/cifuzz.yml
index 730bf9d8e659bab740e89c5c34490cd8ae850832..2b5dba17570b4bceafd22a68f18f0b935e00d7a7 100644 (file)
--- a/.github/workflows/cifuzz.yml
+++ b/.github/workflows/cifuzz.yml
@@ -44,7 +44,7 @@ jobs:
           dry-run: false
           sanitizer: ${{ matrix.sanitizer }}
       - name: Upload Crash
-        uses: actions/upload-artifact@v1
+        uses: actions/upload-artifact@27121b0bdffd731efa15d66772be8dc71245d074
         if: failure() && steps.build.outcome == 'success'
         with:
           name: ${{ matrix.sanitizer }}-artifacts

diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
index 2c3c58ad5864c6096ba82eeee8ac92fa07581f54..cb12b0a5d1ae6e256e1cc88b85c5f9974cc9178b 100644 (file)
--- a/.github/workflows/linter.yml
+++ b/.github/workflows/linter.yml
@@ -25,7 +25,7 @@ jobs:
           fetch-depth: 0
 
       - name: Lint Code Base
-        uses: github/super-linter@v3
+        uses: github/super-linter@fd9c4286d3de3fdd9258a395570cae287f13f974
         env:
           DEFAULT_BRANCH: main
           # Excludes: