ci: Pin actions digests, remove unnecessary actions and add minimumReleaseAge (#7390)

ci: Pin actions digests and add minimumReleaseAge
2026-06-22 02:02:12 +07:00 · 2026-04-30 20:39:15 +02:00
parent aac03c7e3e
commit c22100a678
9 changed files with 99 additions and 93 deletions
@@ -20,7 +20,7 @@ jobs:
      release_created: ${{ steps.release.outputs.release_created }}
      tag_name: ${{ steps.release.outputs.tag_name }}
    steps:
-      - uses: googleapis/release-please-action@v5
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
        id: release
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
@@ -92,13 +92,10 @@ jobs:
      RUSTFLAGS: ${{ matrix.rustflags || '' }}
    steps:
      - name: Setup | Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup | Rust
-        uses: dtolnay/rust-toolchain@master
-        with:
-          toolchain: stable
-          target: ${{ matrix.target }}
+        run: rustup toolchain install stable --profile minimal --target ${{ matrix.target }} --no-self-update

      - name: Setup | Install cargo-wix [Windows]
        continue-on-error: true
@@ -110,7 +107,9 @@ jobs:

      - name: Setup | Install cross [Linux]
        if: matrix.os == 'ubuntu-latest'
-        uses: taiki-e/install-action@cross
+        uses: taiki-e/install-action@7a4939c09608b2a1986b484eca1d16fd0db8ebef # v2.75.5
+        with:
+          tool: cross@0.2.5

      - name: Build | Build [Cargo]
        if: matrix.os != 'ubuntu-latest'
@@ -132,7 +131,7 @@ jobs:
        continue-on-error: true
        if: matrix.os == 'windows-latest'
        id: unsigned-artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: unsigned-${{ matrix.name }}
          path: |
@@ -142,7 +141,7 @@ jobs:
      - name: Sign | Sign [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
-        uses: signpath/github-action-submit-signing-request@v2
+        uses: signpath/github-action-submit-signing-request@bc66d86b015a46e9c6d9700de73143a82f9570ff # v2.1
        with:
          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
          organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
@@ -167,7 +166,7 @@ jobs:
          cd -

      - name: Release | Upload artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.name }}
          path: ${{ matrix.name }}
@@ -175,7 +174,7 @@ jobs:
      - name: Release | Upload installer artifacts [Windows]
        continue-on-error: true
        if: matrix.os == 'windows-latest'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: starship-${{ matrix.target }}.msi
          path: target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi
@@ -205,7 +204,7 @@ jobs:
      STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          # Required to include the recently merged Crowdin PR
          ref: master
@@ -242,7 +241,7 @@ jobs:
          xcrun notarytool store-credentials "$KEYCHAIN_ENTRY" --team-id "$APPLEID_TEAMID" --apple-id "$APPLEID_USERNAME" --password "$APPLEID_PASSWORD" --keychain "$KEYCHAIN_PATH"

      - name: Setup | Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
        with:
          node-version: 24.15.0

@@ -253,7 +252,7 @@ jobs:
          npm run build

      - name: Notarize | Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: ${{ matrix.name }}
          path: artifacts
@@ -265,7 +264,7 @@ jobs:
        run: bash install/macos_packages/build_and_notarize.sh starship docs ${{ matrix.arch }} ${{ matrix.pkgname }}

      - name: Notarize | Upload Notarized Flat Installer
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.pkgname }}
          path: ${{ matrix.pkgname }}
@@ -274,7 +273,7 @@ jobs:
        run: tar czvf ${{ matrix.name }} starship

      - name: Notarize | Upload Notarized Binary
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          name: ${{ matrix.name }}
          path: ${{ matrix.name }}
@@ -293,7 +292,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Setup | Artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1

      - name: Setup | Checksums
        run: for file in starship-*/starship-*; do openssl dgst -sha256 -r "$file" | awk '{print $1}' > "${file}.sha256"; done
@@ -304,10 +303,9 @@ jobs:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Build | Add Artifacts to Release
-        uses: softprops/action-gh-release@v3
-        with:
-          files: starship-*/starship-*
-          tag_name: ${{ needs.release_please.outputs.tag_name }}
+        run: gh release upload ${{ needs.release_please.outputs.tag_name }} starship-*/starship-* --repo starship/starship
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  # Publish starship to Crates.io
  cargo_publish:
@@ -319,13 +317,13 @@ jobs:
      id-token: write
    steps:
      - name: Setup | Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Setup | Rust
-        uses: dtolnay/rust-toolchain@stable
+        run: rustup toolchain install stable --profile minimal --no-self-update

      - name: Build | Authenticate
-        uses: rust-lang/crates-io-auth-action@v1
+        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
        id: auth

      - name: Build | Publish
@@ -337,7 +335,7 @@ jobs:
    needs: [release_please, upload_artifacts]
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    steps:
-      - uses: mislav/bump-homebrew-formula-action@v4.1
+      - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4.1
        with:
          formula-name: starship
          tag-name: ${{ needs.release_please.outputs.tag_name }}
@@ -377,9 +375,9 @@ jobs:
    if: ${{ needs.release_please.outputs.release_created == 'true' }}
    steps:
      - name: Setup | Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Setup | Artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      - run: pwsh ./install/windows/choco/update.ps1
        env:
          STARSHIP_VERSION: ${{ needs.release_please.outputs.tag_name }}
@@ -393,7 +391,7 @@ jobs:
    continue-on-error: true
    steps:
      - name: Setup | Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Merge | Merge Crowdin PR
        run: gh pr merge i18n_master --squash --repo=starship/starship
        env:
@@ -405,7 +403,7 @@ jobs:
    needs: merge_crowdin_pr
    steps:
      - name: Setup | Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Trigger workflow dispatch
        run: gh workflow run publish-docs.yml
        env: