From a69300ecf6f4efb67973bb0851c9813301b5386f Mon Sep 17 00:00:00 2001 From: CafebabeTimeLapse Date: Thu, 2 Apr 2026 20:47:50 +0900 Subject: [PATCH] chore: pin GitHub Actions to SHA --- .github/workflows/deploy-benchmark-preview.yml | 4 ++-- .github/workflows/deploy-benchmark-prod.yml | 4 ++-- .github/workflows/stale.yaml | 2 +- .github/workflows/tfjs-ci.yml | 12 ++++++------ .../tfjs-nightly-release-and-publish-test.yml | 6 +++--- .../workflows/tfjs-release-branch-publish-test.yml | 6 +++--- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/deploy-benchmark-preview.yml b/.github/workflows/deploy-benchmark-preview.yml index 8ebd70fbab4..180f33ef720 100644 --- a/.github/workflows/deploy-benchmark-preview.yml +++ b/.github/workflows/deploy-benchmark-preview.yml @@ -14,8 +14,8 @@ jobs: pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: FirebaseExtended/action-hosting-deploy@0cbcac4740c2bfb00d632f0b863b57713124eb5a # v0.9.0 with: repoToken: "${{ secrets.GITHUB_TOKEN }}" firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT_JSTENSORFLOW }}" diff --git a/.github/workflows/deploy-benchmark-prod.yml b/.github/workflows/deploy-benchmark-prod.yml index e9bf2662743..577773caecf 100644 --- a/.github/workflows/deploy-benchmark-prod.yml +++ b/.github/workflows/deploy-benchmark-prod.yml @@ -16,8 +16,8 @@ jobs: pull-requests: write # for FirebaseExtended/action-hosting-deploy to comment on PRs runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: FirebaseExtended/action-hosting-deploy@v0 + - uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2.7.0 + - uses: FirebaseExtended/action-hosting-deploy@0cbcac4740c2bfb00d632f0b863b57713124eb5a # v0.9.0 with: repoToken: "${{ secrets.GITHUB_TOKEN }}" firebaseServiceAccount: "${{ secrets.FIREBASE_SERVICE_ACCOUNT_JSTENSORFLOW }}" diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml index bc4b4bfebe1..61ebb2bb6d1 100644 --- a/.github/workflows/stale.yaml +++ b/.github/workflows/stale.yaml @@ -30,7 +30,7 @@ jobs: stale: runs-on: ubuntu-latest steps: - - uses: 'actions/stale@v7' + - uses: 'actions/stale@6f05e4244c9a0b2ed3401882b05d701dd0a7289b # v7.0.0' with: # Comma separated list of labels that can be assigned to issues to exclude them from being marked as stale. exempt-issue-labels: 'override-stale' diff --git a/.github/workflows/tfjs-ci.yml b/.github/workflows/tfjs-ci.yml index 435b9313755..e71622c70ef 100644 --- a/.github/workflows/tfjs-ci.yml +++ b/.github/workflows/tfjs-ci.yml @@ -14,7 +14,7 @@ jobs: test: runs-on: ubuntu-latest steps: - - uses: bazel-contrib/setup-bazel@0.14.0 + - uses: bazel-contrib/setup-bazel@5483a91b6e3ffac6092848f1dd7eafcfad203d80 # 0.14.0 with: # Avoid downloading Bazel every time. bazelisk-cache: true @@ -22,9 +22,9 @@ jobs: disk-cache: ${{ github.workflow }}-cpu # Share repository cache between workflows. repository-cache: true - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Test TFJS CPU - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20.x cache: 'npm' @@ -35,7 +35,7 @@ jobs: test-gpu-mac: runs-on: macos-latest-xlarge # consumer gpu steps: - - uses: bazel-contrib/setup-bazel@0.14.0 + - uses: bazel-contrib/setup-bazel@5483a91b6e3ffac6092848f1dd7eafcfad203d80 # 0.14.0 with: # Avoid downloading Bazel every time. bazelisk-cache: true @@ -43,9 +43,9 @@ jobs: disk-cache: ${{ github.workflow }}-gpu-mac # Share repository cache between workflows. repository-cache: true - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Test TFJS GPU - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20.x cache: 'npm' diff --git a/.github/workflows/tfjs-nightly-release-and-publish-test.yml b/.github/workflows/tfjs-nightly-release-and-publish-test.yml index aae8c18e7db..2b5bd0d9b06 100644 --- a/.github/workflows/tfjs-nightly-release-and-publish-test.yml +++ b/.github/workflows/tfjs-nightly-release-and-publish-test.yml @@ -13,17 +13,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Bazel - uses: bazel-contrib/setup-bazel@0.14.0 + uses: bazel-contrib/setup-bazel@5483a91b6e3ffac6092848f1dd7eafcfad203d80 # 0.14.0 with: bazelisk-cache: true disk-cache: ${{ github.workflow }}-nightly-release repository-cache: true - name: Setup Node.js and Yarn - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20.x # Using a current LTS version of Node.js cache: 'yarn' diff --git a/.github/workflows/tfjs-release-branch-publish-test.yml b/.github/workflows/tfjs-release-branch-publish-test.yml index df51fa4acca..23217fc372d 100644 --- a/.github/workflows/tfjs-release-branch-publish-test.yml +++ b/.github/workflows/tfjs-release-branch-publish-test.yml @@ -14,17 +14,17 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Bazel - uses: bazel-contrib/setup-bazel@0.14.0 + uses: bazel-contrib/setup-bazel@5483a91b6e3ffac6092848f1dd7eafcfad203d80 # 0.14.0 with: bazelisk-cache: true disk-cache: ${{ github.workflow }}-release-e2e repository-cache: true - name: Setup Node.js and Yarn - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: 20.x cache: 'yarn' # Changed from 'npm' in example to 'yarn' as primary tool here