[StepSecurity] Pin versions for GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
2025-04-19 17:29:20 +08:00 · 2025-04-09 15:24:35 +00:00 · 2025-04-09 15:24:35 +00:00 · 03fea1a038
commit 03fea1a038
parent bf2c378a9b
3 changed files with 3 additions and 3 deletions
--- a/.github/workflows/ci-update-dist.yml
+++ b/.github/workflows/ci-update-dist.yml
@ -54,7 +54,7 @@ jobs:
        cp -r sources/dist .
    - name: Import GPG key to sign commits
-      uses: crazy-max/ghaction-import-gpg@v6
+      uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
      with:
        gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
        passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}
--- a/.github/workflows/integ-test-dependency-graph.yml
+++ b/.github/workflows/integ-test-dependency-graph.yml
@ -178,7 +178,7 @@ jobs:
    runs-on: "ubuntu-latest"
    steps:
    - name: Download dependency-graph artifact
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
      with:
        path: downloaded-dependency-graphs
        pattern: dependency-graph_*dependency-graph-generate-submit-and-upload.json
--- a/.github/workflows/update-checksums-file.yml
+++ b/.github/workflows/update-checksums-file.yml
@ -38,7 +38,7 @@ jobs:
        working-directory: sources
      - name: Import GPG key to sign commits
-        uses: crazy-max/ghaction-import-gpg@v6
+        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
        with:
          gpg_private_key: ${{ secrets.GH_BOT_PGP_PRIVATE_KEY }}
          passphrase: ${{ secrets.GH_BOT_PGP_PASSPHRASE }}