CI: Bump and ref actions by commit SHA in windows-ci.yml

Referencing actions by commit SHA in GitHub workflows guarantees you are using an immutable version. Actions referenced by tags and branches are more vulnerable to attacks, such as the tag being moved to a malicious commit or a malicious commit being pushed to the branch. It's important to make sure the SHA's are from the original repositories and not forks. For reference: https://github.com/msys2/setup-msys2/releases/tag/v2.20.1 msys2/setup-msys2@27b3aa7 https://github.com/actions/checkout/releases/tag/v4.1.0 actions/checkout@8ade135 https://github.com/actions/upload-artifact/releases/tag/v3.1.3 actions/upload-artifact@a8a3f3a Signed-off-by: Gabriela Gutierrez <[email protected]>
tukaani-project · Oct 12, 2023 · 64909e8 · 64909e8
1 parent 4f4f754
commit 64909e8
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/.github/workflows/windows-ci.yml b/.github/workflows/windows-ci.yml
@@ -40,7 +40,7 @@ jobs:
 
       # Rely on the msys2 GitHub Action to set up the msys2 environment.
       - name: Setup MSYS2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@27b3aa77f672cb6b3054121cfd80c3d22ceebb1d #v2.20.1
         with:
           msystem: ${{ matrix.msys2_env }}
           update: true
@@ -56,7 +56,7 @@ jobs:
         # text file and will not match the output from xzgrep.
         run: git config --global core.autocrlf false
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 #v4.1.0
 
 
       ########################
@@ -118,7 +118,7 @@ jobs:
       ###############
 
       # Upload the test logs as artifacts if any step has failed.
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 #v3.1.3
         if: ${{ failure() }}
         with:
           name: ${{ matrix.msys2_env }} ${{ matrix.build_system }} Test Logs