Merge pull request #180 from Automattic/pin-actions

chore: pin actions

.github/workflows/build-push.yml

@@ -36,7 +36,7 @@ jobs:
         image: ${{ fromJson(needs.prepare.outputs.images) }}
     steps:
       - name: Check out the repo
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 
@@ -62,7 +62,7 @@ jobs:
           fi
 
       - name: Expose GitHub Runtime
-        uses: Automattic/vip-actions/expose-github-runtime@trunk
+        uses: Automattic/vip-actions/expose-github-runtime@e1faabf165941008de4c0c1381df153e49d8ad2c # v0.6.0
 
       - name: Set up Docker
         uses: crazy-max/ghaction-setup-docker@5bddaa4323ffd60efb2b5045b75b9637c12d4e50 # v3.2.0
@@ -75,15 +75,15 @@ jobs:
             }
   
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         if: steps.changes.outputs.needs_build == 'true'
         with:
           registry: https://ghcr.io
@@ -115,10 +115,6 @@ jobs:
         run: npm install -g @devcontainers/cli
         if: ${{ steps.changes.outputs.needs_build == 'true' && steps.exists.outputs.exists != 'true' }}
 
-      - name: Expose GitHub Runtime
-        uses: Automattic/vip-actions/expose-github-runtime@trunk
-        if: ${{ steps.changes.outputs.needs_build == 'true' && steps.exists.outputs.exists != 'true' }}
-
       - name: Build image
         run: |
           devcontainer build \
@@ -145,7 +141,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 
@@ -167,7 +163,7 @@ jobs:
           fi
 
       - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: https://ghcr.io
           username: ${{ github.actor }}}
@@ -190,7 +186,7 @@ jobs:
       packages: write
     steps:
       - name: Check out the repo
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 
@@ -212,7 +208,7 @@ jobs:
           fi
 
       - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         with:
           registry: https://ghcr.io
           username: ${{ github.actor }}}

.github/workflows/build.yml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 
@@ -52,19 +52,19 @@ jobs:
           fi
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Install @devcontainers/cli
         run: npm install -g @devcontainers/cli
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Expose GitHub Runtime
-        uses: Automattic/vip-actions/expose-github-runtime@trunk
+        uses: Automattic/vip-actions/expose-github-runtime@e1faabf165941008de4c0c1381df153e49d8ad2c # v0.6.0
         if: steps.changes.outputs.needs_build == 'true'
 
       - name: Build image

.github/workflows/generate-docs.yml

@@ -22,16 +22,16 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Generate documentation
-        uses: devcontainers/[email protected]
+        uses: devcontainers/action@528049dce833673f136ddfc09c2720d450029a6b # v1.4.2
         with:
           generate-docs: true
           base-path-to-features: ./features/src
 
       - name: Create a PR for documentation
-        uses: peter-evans/[email protected]
+        uses: peter-evans/create-pull-request@6d6857d36972b65feb161a90e484f2984215f83e # v6.0.5
         with:
           add-paths: ':(glob)features/src/**/README.md'
           commit-message: 'docs: automated documentation update'

.github/workflows/sanity-checks.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the source code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
 

.github/workflows/shellcheck.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out source code
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Add error matcher
         run: echo "::add-matcher::$(pwd)/.github/problem-matcher-gcc.json"

.github/workflows/smoke-tests.yml

@@ -45,7 +45,7 @@ jobs:
       BUILDKIT_PROGRESS: plain
     steps:
       - name: Check out the repo
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Copy features
         working-directory: test
@@ -55,10 +55,10 @@ jobs:
           sed -i 's!ghcr.io/automattic/vip-codespaces/!./.devcontainer/features/!' .devcontainer/features/*/devcontainer-feature.json
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
 
       - name: Expose GitHub Runtime
-        uses: Automattic/vip-actions/expose-github-runtime@trunk
+        uses: Automattic/vip-actions/expose-github-runtime@e1faabf165941008de4c0c1381df153e49d8ad2c # v0.6.0
 
       - name: Install @devcontainers/cli
         run: npm install -g @devcontainers/cli

.github/workflows/validate.yml

@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       - name: Validate devcontainer-feature.json files
-        uses: devcontainers/[email protected]
+        uses: devcontainers/action@528049dce833673f136ddfc09c2720d450029a6b # v1.4.2
         with:
           validate-only: "true"
           base-path-to-features: "./features/src"