chore(sec): pin github deps to shas (#1444)

## Launch Checklist Our CI uses a few actions. For these actions, we currently just use the mutable GitHub tag. Since we use Dependabot to update the versions, we should use SHAs. This makes sure that we are not affected by a certain class of supply chain vulnerability where attackers re-publish bad tags. Using SHAs matches GitHub recommendations and is a part of the OpenSSFs Scorecard. - [x] Confirm **your changes do not include backports from Mapbox projects** (unless with compliant license) - if you are not sure about this, please ask! - [ ] Add an entry to `CHANGELOG.md` under the `## main` section. ^--- not sure if you want this. Other maintenance actions don't show up as well.
2025-12-25 23:50:02 +00:00 · 2025-10-10 15:55:05 +02:00
parent 8cd5e28f3a
commit 006eb89fae
6 changed files with 39 additions and 39 deletions
--- a/.github/workflows/create-bump-version-pr.yml
+++ b/.github/workflows/create-bump-version-pr.yml
@@ -16,13 +16,13 @@ jobs:
      run:
        shell: bash
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
          ref: main

      - name: Use Node.js from nvmrc
-        uses: actions/setup-node@v5
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version-file: ".nvmrc"

@@ -32,7 +32,7 @@ jobs:
          ./build/bump-version-changelog.js ${{ inputs.version }}

      - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
        with:
          commit-message: Bump version to ${{ inputs.version }}
          branch: bump-version-to-${{ inputs.version }}