ci: pin GitHub Actions to commit SHAs

.github/workflows/check.yml

@@ -30,19 +30,19 @@ jobs:
     timeout-minutes: 5
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: 24
 
       - run: |
           corepack enable
           corepack install
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           cache: yarn
 
@@ -59,26 +59,26 @@ jobs:
     timeout-minutes: 2
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - uses: wagoid/commitlint-github-action@v6
+      - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed
 
   tests:
     runs-on: ${{ vars.ACTIONS_RUNNER_TYPE || 'ubuntu-latest' }}
     timeout-minutes: 5
     continue-on-error: true
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: 24
 
       - run: |
           corepack enable
           corepack install
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           cache: yarn
 

.github/workflows/docker.yml

@@ -36,21 +36,21 @@ jobs:
     continue-on-error: true
     steps:
       - name: Setup QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Docker Metadata
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
         with:
           images: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -61,7 +61,7 @@ jobs:
             test
 
       - name: Build and Push
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}

.github/workflows/release.yml

@@ -28,15 +28,15 @@ jobs:
 
     steps:
       - name: Release Please
-        uses: googleapis/release-please-action@v4
+        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38
         id: release
         with:
           release-type: node
 
       # From:
       # https://github.com/googleapis/release-please-action?tab=readme-ov-file#creating-majorminor-tags
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         if: ${{ steps.release.outputs.release_created }}
 
       - name: Tag Major and Minor Versions
@@ -56,15 +56,15 @@ jobs:
 
       - name: Setup QEMU
         if: ${{ steps.release.outputs.release_created }}
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a
 
       - name: Setup Docker Buildx
         if: ${{ steps.release.outputs.release_created }}
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd
 
       - name: Login to Docker Hub
         if: ${{ steps.release.outputs.release_created }}
-        uses: docker/login-action@v4
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -73,7 +73,7 @@ jobs:
       - name: Docker Metadata
         if: ${{ steps.release.outputs.release_created }}
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf
         with:
           images: |
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
@@ -91,7 +91,7 @@ jobs:
 
       - name: Build and Push
         if: ${{ steps.release.outputs.release_created }}
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294
         with:
           push: true
           tags: ${{ steps.meta.outputs.tags }}

README.md

@@ -46,7 +46,9 @@ For the application-level environment variables, please refer to the
 
 ## CI / CD
 
-This template supports GitHub Actions for CI / CD. The available workflows are:
+This template supports GitHub Actions for CI / CD. All GitHub Actions are pinned to specific commit SHAs to mitigate supply chain attacks.
+
+The available workflows are:
 
 - Checks / eslint: Run ES Lint to check problems and the format of the code.
 - Checks / commitlint: Run Commitlint to check the format of the commit messages.