Merge pull request #144 from uptick/plt-1209/pin-github-actions-sha

uptickmetachu · web-flow · commit 73de2abcda3a · 2025-12-16T10:56:25.000+11:00
PLT-1209 security(gha): Pin all github actions to a fixed sha via ratchet
diff --git a/.github/workflows/release-please.yaml b/.github/workflows/release-please.yaml
@@ -26,7 +26,7 @@ jobs:
       helm-version: ${{ steps.release.outputs['charts/gitops--tag_name'] }}
       sha: ${{ steps.release.outputs.sha }}
     steps:
-      - uses: googleapis/release-please-action@v4
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # ratchet:googleapis/release-please-action@v4
         id: release
         with: {}
 
@@ -35,9 +35,9 @@ jobs:
     needs: release-please
     if: ${{ needs.release-please.outputs.helm-version }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
       - name: Publish Helm charts
-        uses: stefanprodan/helm-gh-pages@master
+        uses: stefanprodan/helm-gh-pages@89c6698c192e70ed0e495bee7d3d1ca5b477fe82 # ratchet:stefanprodan/helm-gh-pages@master
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -47,9 +47,9 @@ jobs:
     needs: release-please
     if: ${{ needs.release-please.outputs.cli-release-created}}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # ratchet:actions/checkout@v4
 
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # ratchet:jdx/mise-action@v2
         with:
           install: true
           cache: true
@@ -60,11 +60,11 @@ jobs:
         shell: bash
 
       - name: Publish Pypi Package
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # ratchet:pypa/gh-action-pypi-publish@release/v1
 
   publish_docker_image:
     name: Build and Push Docker Image
-    uses: uptick/actions/.github/workflows/ci.yaml@main
+    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
     needs: release-please
     if: ${{ needs.release-please.outputs.server-release-created}}
     secrets:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,7 +14,7 @@ permissions:
 
 jobs:
   ci:
-    uses: uptick/actions/.github/workflows/ci.yaml@main
+    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
     secrets: inherit
     with:
       praise-on-fix: false
@@ -26,7 +26,7 @@ jobs:
         mise run ci
   build:
     name: Build and Push Docker Image
-    uses: uptick/actions/.github/workflows/ci.yaml@main
+    uses: uptick/actions/.github/workflows/ci.yaml@main # ratchet:exclude
     secrets:
       SECRET_ENV: "${{ secrets.CLUSTER_KEY }}"
     #https://github.com/uptick/actions/blob/main/.github/workflows/ci.yaml
