Pin GH actions

Dependabot is also capable of pinning to future tag releases and will maintain the comment that descibes the shasum. dependabot/dependabot-core#4691 Signed-off-by: Marco Franssen <[email protected]>
marcofranssen · Jan 3, 2023 · e9a4264 · e9a4264
1 parent 42540ae
commit e9a4264
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 173 deletions.
diff --git a/.github/workflows/depsreview.yaml b/.github/workflows/depsreview.yaml
@@ -10,6 +10,6 @@ jobs:
 
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@v3
+        uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # ratchet:actions/dependency-review-action@v3
diff --git a/.github/workflows/nightly_build.yaml b/.github/workflows/nightly_build.yaml
@@ -18,19 +18,19 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # ratchet:actions/checkout@v3
       - name: Build images
         run: make images scratch-images
       - name: Log in to GCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
         with:
           registry: gcr.io
           username: _json_key
           password: ${{ secrets.GCR_JSON_KEY }}
       - name: Push images
         run: ./.github/workflows/scripts/push-images.sh nightly
       - name: Log in to GHCR
-        uses: docker/login-action@v2
+        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # ratchet:docker/login-action@v2
         with:
           registry: ghcr.io
           username: ${{ github.actor }}