Pin versions of 3rd-party actions and GitHub runners (#41)

NoureldinYosri · web-flow · commit af7fa0985169 · 2025-02-18T14:25:19.000-08:00
Google's terms for allowing the use of GitHub Actions on Google-owned repositories requires that third-party actions be referenced using a specific commit, not a tagged release or a branch name. They also recommend that GitHub-hosted runners be referenced by fixed versions and not "-latest". (Internal doc link: go/github-actions#actions) The SHAs for GitHub Actions in this commit were obtained using [frizbee](https://github.com/stacklok/frizbee). The runner versions equivalent to the "-latest" runners are based on the table at https://github.com/actions/runner-images
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,20 +15,32 @@
 
 name: Build and Test
 
-on: [push]
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches:
+      - main
+
+  merge_group:
+    types:
+      - checks_requested
+
+  push:
+  # Allow manual invocation.
+  workflow_dispatch:
 
 jobs:
   buid-and-test:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     strategy:
       fail-fast: false
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Set up Python 3.10
-        uses: actions/setup-python@v3
+        uses: actions/setup-python@3542bca2639a428e1796aaa6a2ffef0c0f575566 # v3
         with:
           python-version: '3.10'
 
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -10,10 +10,10 @@ permissions:
 
 jobs:
   create_version:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: '3.10'
       - name: Create version
@@ -33,19 +33,19 @@ jobs:
       fail-fast: false
       matrix:
         include:
-          - os: ubuntu-latest
+          - os: ubuntu-24.04
             arch: x86_64
-          - os: windows-latest
+          - os: windows-2022
             arch: auto
-          - os: macos-latest
+          - os: macos-14
             arch: auto
           - os: macos-13
             arch: auto
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
       with:
         python-version: '3.10'
     - name: Install dependencies
@@ -66,19 +66,19 @@ jobs:
       run: |
         python -m cibuildwheel --output-dir wheelhouse
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
       with:
         name: python-wheels-${{ matrix.os }}
         path: ./wheelhouse/*.whl
 
   release-wheels:
     name: Publish all wheels
     needs: [build_wheels]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Download build artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
       with:
         pattern: python-wheels-*
         merge-multiple: true
diff --git a/.github/workflows/stable-release-workflow.yml b/.github/workflows/stable-release-workflow.yml
@@ -9,10 +9,10 @@ permissions:
 
 jobs:
   create_version:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
         with:
           python-version: '3.10'
       - name: Create version
@@ -32,19 +32,19 @@ jobs:
       fail-fast: true
       matrix:
         include:
-          - os: ubuntu-latest
+          - os: ubuntu-24.04
             arch: x86_64
-          - os: windows-latest
+          - os: windows-2022
             arch: auto
-          - os: macos-latest
+          - os: macos-14
             arch: auto
           - os: macos-13
             arch: auto
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5
       with:
         python-version: '3.10'
     - name: Install dependencies
@@ -65,19 +65,19 @@ jobs:
       run: |
         python -m cibuildwheel --output-dir wheelhouse
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4
       with:
         name: python-wheels-${{ matrix.os }}
         path: ./wheelhouse/*.whl
 
   release-wheels:
     name: Publish all wheels
     needs: [build_wheels]
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
     - name: Download build artifacts
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
       with:
         pattern: python-wheels-*
         merge-multiple: true
