From 913cd257f4979bbf3b755489af958cf550773726 Mon Sep 17 00:00:00 2001
From: Janne Mareike Koschinski <jannemk@element.io>
Date: Fri, 10 Mar 2023 13:56:23 +0100
Subject: [PATCH] Pin versions of third-party github actions (#3208)

---
 .github/workflows/backport.yml             | 2 +-
 .github/workflows/docs-pr-netlify.yaml     | 2 +-
 .github/workflows/notify-downstream.yaml   | 2 +-
 .github/workflows/pull_request.yaml        | 2 +-
 .github/workflows/release-npm.yml          | 2 +-
 .github/workflows/release.yml              | 2 +-
 .github/workflows/sonarcloud.yml           | 4 ++--
 .github/workflows/sonarqube.yml            | 2 +-
 .github/workflows/tests.yml                | 2 +-
 .github/workflows/upgrade_dependencies.yml | 4 ++--
 10 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml
index 32deb2f2b57..e10937278f0 100644
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -23,7 +23,7 @@ jobs:
               )
             )
         steps:
-            - uses: tibdex/backport@v2
+            - uses: tibdex/backport@2e217641d82d02ba0603f46b1aeedefb258890ac # v2
               with:
                   labels_template: "<%= JSON.stringify([...labels, 'X-Release-Blocker']) %>"
                   # We can't use GITHUB_TOKEN here or CI won't run on the new PR
diff --git a/.github/workflows/docs-pr-netlify.yaml b/.github/workflows/docs-pr-netlify.yaml
index 903ad2a4226..bf0ef3ae482 100644
--- a/.github/workflows/docs-pr-netlify.yaml
+++ b/.github/workflows/docs-pr-netlify.yaml
@@ -14,7 +14,7 @@ jobs:
             # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
             # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
             - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # v2.26.0
+              uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # v2
               with:
                   workflow: static_analysis.yml
                   run_id: ${{ github.event.workflow_run.id }}
diff --git a/.github/workflows/notify-downstream.yaml b/.github/workflows/notify-downstream.yaml
index 1a7fee20eba..b295c179b7a 100644
--- a/.github/workflows/notify-downstream.yaml
+++ b/.github/workflows/notify-downstream.yaml
@@ -20,7 +20,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Notify matrix-react-sdk repo that a new SDK build is on develop so it can CI against it
-              uses: peter-evans/repository-dispatch@v2
+              uses: peter-evans/repository-dispatch@26b39ed245ab8f31526069329e112ab2fb224588 # v2
               with:
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   repository: ${{ matrix.repo }}
diff --git a/.github/workflows/pull_request.yaml b/.github/workflows/pull_request.yaml
index 3b0e55451f9..5e110eed397 100644
--- a/.github/workflows/pull_request.yaml
+++ b/.github/workflows/pull_request.yaml
@@ -39,7 +39,7 @@ jobs:
         if: github.event.action == 'opened'
         steps:
             - name: Check membership
-              uses: tspascoal/get-user-teams-membership@v2
+              uses: tspascoal/get-user-teams-membership@37c08f7b52a72ca95d12af2e7ab2553ca9adf13b # v2
               id: teams
               with:
                   username: ${{ github.event.pull_request.user.login }}
diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml
index 88f452faf5a..a33ddf2eb09 100644
--- a/.github/workflows/release-npm.yml
+++ b/.github/workflows/release-npm.yml
@@ -24,7 +24,7 @@ jobs:
 
             - name: 🚀 Publish to npm
               id: npm-publish
-              uses: JS-DevTools/npm-publish@v1
+              uses: JS-DevTools/npm-publish@0f451a94170d1699fd50710966d48fb26194d939 # v1
               with:
                   token: ${{ secrets.NPM_TOKEN }}
                   access: public
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 962e2b36c9d..1edfb3b2440 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,7 +46,7 @@ jobs:
                   fi
 
             - name: 🚀 Deploy
-              uses: peaceiris/actions-gh-pages@v3
+              uses: peaceiris/actions-gh-pages@bd8c6b06eba6b3d25d72b7a1767993c0aeee42e7 # v3
               with:
                   github_token: ${{ secrets.GITHUB_TOKEN }}
                   keep_files: true
diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml
index 5c678c394e4..b7788aee47c 100644
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@@ -17,7 +17,7 @@ jobs:
         steps:
             # We create the status here and then update it to success/failure in the `report` stage
             # This provides an easy link to this workflow_run from the PR before Cypress is done.
-            - uses: Sibz/github-status-action@v1
+            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
               with:
                   authToken: ${{ secrets.GITHUB_TOKEN }}
                   state: pending
@@ -42,7 +42,7 @@ jobs:
                   coverage_extract_path: coverage
                   extra_args: ${{ inputs.extra_args }}
 
-            - uses: Sibz/github-status-action@v1
+            - uses: Sibz/github-status-action@faaa4d96fecf273bd762985e0e7f9f933c774918 # v1
               if: always()
               with:
                   authToken: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/sonarqube.yml b/.github/workflows/sonarqube.yml
index f3946219183..55ff9a3b1f2 100644
--- a/.github/workflows/sonarqube.yml
+++ b/.github/workflows/sonarqube.yml
@@ -19,7 +19,7 @@ jobs:
             # There's a 'download artifact' action, but it hasn't been updated for the workflow_run action
             # (https://github.com/actions/download-artifact/issues/60) so instead we get this mess:
             - name: 📥 Download artifact
-              uses: dawidd6/action-download-artifact@v2
+              uses: dawidd6/action-download-artifact@5e780fc7bbd0cac69fc73271ed86edf5dcb72d67 # v2
               with:
                   workflow: tests.yaml
                   run_id: ${{ github.event.workflow_run.id }}
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 0093c679122..077033b168d 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -36,7 +36,7 @@ jobs:
 
             - name: Get number of CPU cores
               id: cpu-cores
-              uses: SimenB/github-actions-cpu-cores@v1
+              uses: SimenB/github-actions-cpu-cores@410541432439795d30db6501fb1d8178eb41e502 # v1
 
             - name: Load metrics reporter
               id: metrics
diff --git a/.github/workflows/upgrade_dependencies.yml b/.github/workflows/upgrade_dependencies.yml
index 9858c2c80d2..42db6c642b8 100644
--- a/.github/workflows/upgrade_dependencies.yml
+++ b/.github/workflows/upgrade_dependencies.yml
@@ -20,7 +20,7 @@ jobs:
 
             - name: Create Pull Request
               id: cpr
-              uses: peter-evans/create-pull-request@v4
+              uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4
               with:
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}
                   branch: actions/upgrade-deps
@@ -31,7 +31,7 @@ jobs:
                       T-Task
 
             - name: Enable automerge
-              uses: peter-evans/enable-pull-request-automerge@v2
+              uses: peter-evans/enable-pull-request-automerge@684fed02ccc9b5eefcf7d40b65b3cd44255bd5bc # v2
               if: steps.cpr.outputs.pull-request-operation == 'created'
               with:
                   token: ${{ secrets.ELEMENT_BOT_TOKEN }}