Pin to SHA for untrusted only (#844)

neo4j · Jan 18, 2024 · 848f1ec · 848f1ec
1 parent c55937d
commit 848f1ec
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 26 deletions.
diff --git a/.github/workflows/docs-deploy-surge.yml b/.github/workflows/docs-deploy-surge.yml
@@ -6,7 +6,7 @@
 # This workflow expects the triggering workflow to generate an artifact called "docs"
 # - update the reference to "docs" and "docs.zip" in this workflow if your triggering workflow generates an artifact with a different name
 
-name: "Deploy to surge"
+name: "Deploy docs preview"
 
 on:
   workflow_run:
@@ -80,7 +80,7 @@ jobs:
       # The changelog contains links to new and changed files in the deployed docs
       - name: Comment on PR (changelog)
         if: ${{ hashFiles('changelog') != '' }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
         with:
           number: ${{ steps.get-deploy-id.outputs.deploy-id }}
           recreate: true
@@ -93,7 +93,7 @@ jobs:
         if: ${{ hashFiles('changelog') == '' }}
         env:
           DEPLOY_URL: ${{ steps.get-deploy-url.outputs.deploy-url }}
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd #v2.8.0
         with:
           number: ${{ steps.get-deploy-id.outputs.deploy-id }}
           header: docs-pr-changes

diff --git a/.github/workflows/docs-pr-checks.yml b/.github/workflows/docs-pr-checks.yml
@@ -13,18 +13,17 @@ jobs:
 
   #  Generate HTML
   docs-build-pr:
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-build.yml@dev
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-build.yml@v1.0.0
     with:
       deploy-id: ${{ github.event.number }}
       retain-artifacts: 14
-      pageList: true
 
   # Parse the json log output from the HTML build, and output warnings and errors as annotations
   # Optionally, fail the build if there are warnings or errors
   # By default, the job fails if there are errors, passes if there are warnings only.
   docs-verify-pr:
     needs: docs-build-pr
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-verify.yml@dev
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-verify.yml@v1.0.0
     with:
       failOnWarnings: true
 
@@ -41,7 +40,7 @@ jobs:
     steps:
       - name: Get file changes
         id: get-file-changes
-        uses: tj-actions/changed-files@v41
+        uses: tj-actions/changed-files@cbda684547adc8c052d50711417fa61b428a9f88 # v41.1.2
         with:
           separator: ','
           files_yaml: |
@@ -56,22 +55,7 @@ jobs:
   docs-updates-comment-pr:
     if: needs.docs-build-pr.outputs.pages-listed == 'success'
     needs: [docs-build-pr, docs-changes-pr]
-    uses: neo4j/docs-tools/.github/workflows/reusable-docs-pr-changes.yml@dev
+    uses: neo4j/docs-tools/.github/workflows/reusable-docs-pr-changes.yml@v1.0.0
     with:
       pages-modified: ${{ needs.docs-changes-pr.outputs.pages-modified }}
       pages-added: ${{ needs.docs-changes-pr.outputs.pages-added }}
-
-  # Use vale to verify the changes against the style guide
-  # You can specify your own vale config file if you want to override or replace the default Neo4j rules
-  # docs-lint-pr:
-  #   needs: docs-changes-pr
-  #   if: needs.docs-changes-pr.outputs.asciidoc-files != ''
-  #   uses: neo4j/docs-tools/.github/workflows/reusable-docs-vale.yml@dev
-  #   with:
-  #     files: ${{ needs.docs-changes-pr.outputs.asciidoc-files }}
-  #     vale-fail-on-error: true
-  #     # use-default-rules: false
-  #     # vale-config-file: .vale.ini
-  #     separator: ','
-
-
diff --git a/.github/workflows/docs-teardown.yml b/.github/workflows/docs-teardown.yml
@@ -4,7 +4,10 @@ name: "Documentation Teardown"
 on:
   pull_request_target:
     branches:
-      - dev
+      - "dev"
+      - "5.x"
+      - "4.[0-9]"
+      - "3.5"
     types:
       - closed
 
@@ -36,7 +39,7 @@ jobs:
           surge teardown $DEPLOY_URL --token "$SURGE_TOKEN"
 
       - name: Comment on PR
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2.8.0
         with:
           number: ${{ github.event.pull_request.number }}
           header: docs-pr-changes
@@ -45,4 +48,3 @@ jobs:
 
             The preview documentation has now been torn down - reopening this PR will republish it.
           GITHUB_TOKEN: ${{ secrets.DOCS_PR_COMMENT_TOKEN }}
-