Pin actions and extract expressions to env vars (#7719)

2026-03-30 00:02:16 +08:00 · 2026-03-26 16:01:48 -04:00 · 2026-03-26 16:01:48 -04:00 · 2743655ab5
commit 2743655ab5
parent 8d9a44a024
3 changed files with 31 additions and 24 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -34,7 +34,7 @@ jobs:
      - name: Checkout repo
        uses: actions/checkout@v6
      - name: Check changed files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
        id: filter
        with:
          filters: |
@ -98,7 +98,7 @@ jobs:
    if: needs.changes.outputs.helm == 'true'
    steps:
      - uses: actions/checkout@v6
-      - uses: azure/setup-helm@v4
+      - uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - run: helm plugin install https://github.com/instrumenta/helm-kubeval
@ -151,7 +151,7 @@ jobs:
            test/package-lock.json
      - run: SKIP_SUBMODULE_DEPS=1 npm ci
      - run: npm run test:unit
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5
        if: success()
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
@ -167,7 +167,7 @@ jobs:
        with:
          submodules: true
      - run: sudo apt update && sudo apt install -y libkrb5-dev
-      - uses: awalsh128/cache-apt-pkgs-action@latest
+      - uses: awalsh128/cache-apt-pkgs-action@2c09a5e66da6c8016428a2172bd76e5e4f14bb17 # latest
        with:
          packages: quilt
          version: 1.0
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@ -33,7 +33,7 @@ jobs:
          node-version-file: .node-version

      - name: Download npm package from release artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
        with:
          repository: "coder/code-server"
          tag: ${{ github.event.inputs.version || github.ref_name }}
@ -43,9 +43,10 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
      - run: npm run publish:npm
        env:
          VERSION: ${{ env.VERSION }}
@ -88,11 +89,12 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
      - name: Validate package
-        uses: heyhusen/archlinux-package-action@v3.0.0
+        uses: heyhusen/archlinux-package-action@c9f94059ccbebe8710d31d582f33ef4e84fe575c # v3.0.0
        env:
          VERSION: ${{ env.VERSION }}
        with:
@ -119,19 +121,19 @@ jobs:
        uses: actions/checkout@v6

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3

      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@ -140,11 +142,12 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ github.event.inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ github.event.inputs.version || github.ref_name }}
      - name: Download deb artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
@ -152,7 +155,7 @@ jobs:
          out-file-path: "release-packages"

      - name: Download rpm artifacts
-        uses: robinraju/release-downloader@v1.12
+        uses: robinraju/release-downloader@daf26c55d821e836577a15f77d86ddc078948b05 # v1.12
        with:
          repository: "coder/code-server"
          tag: v${{ env.VERSION }}
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -111,14 +111,15 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
      - env:
          VERSION: ${{ env.VERSION }}
        run: npm run package $PKG_ARCH

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@ -171,15 +172,16 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
      - name: Build packages with nfpm
        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@ -232,15 +234,16 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
      - name: Build packages with nfpm
        env:
          VERSION: ${{ env.VERSION }}
        run: npm run package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@ -257,7 +260,7 @@ jobs:
        with:
          name: npm-release-package

-      - uses: softprops/action-gh-release@v1
+      - uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
        with:
          draft: true
          discussion_category_name: "📣 Announcements"
@ -269,7 +272,7 @@ jobs:
    timeout-minutes: 15
    steps:
      - name: Download artifacts
-        uses: dawidd6/action-download-artifact@v16
+        uses: dawidd6/action-download-artifact@2536c51d3d126276eb39f74d6bc9c72ac6ef30d3 # v16
        id: download
        with:
          branch: ${{ github.ref }}
@ -284,9 +287,10 @@ jobs:
      # Strip out the v (v4.9.1 -> 4.9.1).
      - name: Get and set VERSION
        run: |
-          TAG="${{ inputs.version || github.ref_name }}"
          echo "VERSION=${TAG#v}" >> $GITHUB_ENV

+        env:
+          TAG: ${{ inputs.version || github.ref_name }}
      - name: Modify version
        env:
          VERSION: ${{ env.VERSION }}