chore: pin GitHub actions to specific commit SHA (#214)

andrewmackett · web-flow · commit 49789038d8de · 2026-03-24T16:05:57.000Z
To proactively limit the impact of a compromised dependency, GitHub recommends that workflows pin dependency versions to a specific commit SHA. This will prevent malicious code added to a new or updated branch or tag from being automatically used. In GitHub there’s a setting to “Require actions to be pinned to a full-length commit SHA” and we intend to enable this setting soon. The changes in this PR were created using the [`pin-github-action`](https://github.com/mheap/pin-github-action) tool. [GitHub blog post](https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/) <sub>This PR was generated using [turbolift](https://github.com/Skyscanner/turbolift).</sub>
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -27,10 +27,10 @@ jobs:
 
     steps:
       - name: Check out the repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@ee0669bd1cc54295c223e0bb666b733df41de1c5 # v2
 
       - name: Use Java ${{ matrix.java }}
-        uses: actions/setup-java@v4
+        uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
         with:
           distribution: 'corretto'
           java-version: ${{ matrix.java }}
@@ -42,7 +42,7 @@ jobs:
         run: |
           ./gradlew test
 
-      - uses: hmarr/auto-approve-action@v4
+      - uses: hmarr/auto-approve-action@8f929096a962e83ccdfa8afcf855f39f12d4dac7 # v4
         if: "github.event.pull_request.user.login == 'github-actions[bot]'"
         with:
           github-token: ${{ secrets.DISPATCH_ACCESS_TOKEN }}
@@ -59,7 +59,7 @@ jobs:
       - id: automerge
         name: automerge
         if: "github.event.pull_request.user.login == 'github-actions[bot]'"
-        uses: "pascalgn/automerge-action@v0.16.4"
+        uses: "pascalgn/automerge-action@7961b8b5eec56cc088c140b56d864285eabd3f67" # v0.16.4
         env:
           GITHUB_TOKEN: ${{ secrets.DISPATCH_ACCESS_TOKEN }}
           MERGE_LABELS: ''
@@ -77,7 +77,7 @@ jobs:
     if: ${{ contains(needs.*.result, 'failure') }}
     steps:
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         if: github.ref == 'refs/heads/main' || (github.event_name == 'pull_request' && github.event.pull_request.user.login == 'github-actions[bot]')
         env:
             SLACK_USERNAME: Java SDK 
diff --git a/.github/workflows/sdk_generation.yaml b/.github/workflows/sdk_generation.yaml
@@ -21,7 +21,7 @@ permissions:
     - cron: 0 0 * * *
 jobs:
   generate:
-    uses: speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@v15
+    uses: speakeasy-api/sdk-generation-action/.github/workflows/workflow-executor.yaml@fe37b336cd1948f1e2e60383fd94bfb884318cf2 # v15
     with:
       force: ${{ github.event.inputs.force }}
       mode: pr
@@ -40,7 +40,7 @@ jobs:
     if: ${{ contains(needs.*.result, 'failure') }}
     steps:
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         if: github.ref == 'refs/heads/main'
         env:
             SLACK_USERNAME: Java SDK 
diff --git a/.github/workflows/sdk_publish.yaml b/.github/workflows/sdk_publish.yaml
@@ -14,7 +14,7 @@ permissions:
   workflow_dispatch: {}
 jobs:
   publish:
-    uses: speakeasy-api/sdk-generation-action/.github/workflows/sdk-publish.yaml@v15
+    uses: speakeasy-api/sdk-generation-action/.github/workflows/sdk-publish.yaml@fe37b336cd1948f1e2e60383fd94bfb884318cf2 # v15
     with:
       target: java
     secrets:
@@ -32,7 +32,7 @@ jobs:
     if: always()
     steps:
       - name: Slack Notification
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         if: github.ref == 'refs/heads/main'
         env:
             SLACK_USERNAME: Java SDK 
@@ -55,7 +55,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Notify SDKs
-        uses: peter-evans/repository-dispatch@v3
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
         with:
           token: ${{ secrets.DISPATCH_ACCESS_TOKEN }}
           repository: ${{ matrix.repo }}
diff --git a/.github/workflows/sdk_tag.yaml b/.github/workflows/sdk_tag.yaml
@@ -11,7 +11,7 @@ permissions:
   workflow_dispatch: {}
 jobs:
   tag:
-    uses: speakeasy-api/sdk-generation-action/.github/workflows/tag.yaml@v15
+    uses: speakeasy-api/sdk-generation-action/.github/workflows/tag.yaml@fe37b336cd1948f1e2e60383fd94bfb884318cf2 # v15
     with:
       registry_tags: main
     secrets:
