From 63402aa8afb25d03fd710402bdeb84a8ae2208fc Mon Sep 17 00:00:00 2001
From: Evgenii Kliuchnikov <eustas@google.com>
Date: Tue, 12 Sep 2023 05:48:59 -0700
Subject: use sha-versions for most gh actions

PiperOrigin-RevId: 564692809
---
 .github/workflows/build_test.yml |  8 ++++----
 .github/workflows/codeql.yml     | 10 +++++-----
 .github/workflows/fuzz.yml       |  2 +-
 .github/workflows/release.yaml   | 13 +++++++------
 4 files changed, 17 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml
index 725822a..91668d3 100644
--- a/.github/workflows/build_test.yml
+++ b/.github/workflows/build_test.yml
@@ -233,14 +233,14 @@ jobs:
         sudo apt install -y ${EXTRA_PACKAGES}
 
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1
 
     #- name: Checkout VC9 for Python
     #  if: ${{ runner.os == 'Windows' && matrix.build_system == 'python' &&  matrix.python_version == '2.7' }}
-    #  uses: actions/checkout@v4
+    #  uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
     #  with:
     #    repository: reider-roque/sulley-win-installer
     #    path: third_party/VCForPython27
@@ -338,7 +338,7 @@ jobs:
         cd integration
         mvn -B verify
 
-    - uses: actions/setup-python@v4
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
       if: ${{ matrix.build_system == 'python' }}
       with:
         python-version: ${{ matrix.python_version }}
@@ -367,7 +367,7 @@ jobs:
     steps:
 
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0dfd5a8..03da18b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,11 +31,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
       with:
         languages: ${{ matrix.language }}
         # CodeQL is currently crashing on files with large lists:
@@ -47,7 +47,7 @@ jobs:
 
     - if: matrix.language == 'cpp'
       name: Build CPP
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
 
     - if: matrix.language == 'cpp' || matrix.language == 'java'
       name: Build Java
@@ -57,7 +57,7 @@ jobs:
 
     - if: matrix.language == 'javascript'
       name: Build JS
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
 
     - if: matrix.language == 'cpp' || matrix.language == 'python'
       name: Build Python
@@ -65,7 +65,7 @@ jobs:
         python setup.py build_ext
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@43750fe4fc4f068f04f2215206e6f6a29c78c763 # v2.14.4
       with:
         category: "/language:${{matrix.language}}"
         ref: "${{ github.ref != 'master' && github.ref || '/refs/heads/master' }}"
diff --git a/.github/workflows/fuzz.yml b/.github/workflows/fuzz.yml
index 2ca7d42..14c2dcb 100644
--- a/.github/workflows/fuzz.yml
+++ b/.github/workflows/fuzz.yml
@@ -28,7 +28,7 @@ jobs:
         fuzz-seconds: 600
         dry-run: false
     - name: Upload Crash
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       if: failure()
       with:
         name: artifacts
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 89acdf3..00b2b33 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -13,6 +13,8 @@ on:
       - v*.*.*
   release:
     types: [ published ]
+  pull_request:
+    types: [opened, reopened, labeled, synchronize]
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.event_name }}
@@ -46,12 +48,12 @@ jobs:
 
     steps:
     - name: Checkout the source
-      uses: actions/checkout@v4
+      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
       with:
         submodules: false
         fetch-depth: 1
 
-    - uses: actions/cache@v3
+    - uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
       id: cache-vcpkg
       with:
         path: vcpkg
@@ -100,14 +102,13 @@ jobs:
         cmake --build out --config Release --target install
         cp LICENSE prefix/bin/LICENSE.brotli
     - name: Upload artifacts
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: brotli-${{matrix.triplet}}
         path: |
           prefix/bin/*
 
     - name: Package release zip
-      if: github.event_name == 'release'
       shell: 'powershell'
       run: |
         Compress-Archive -Path prefix\bin\* `
@@ -115,7 +116,7 @@ jobs:
 
     - name: Upload binaries to release
       if: github.event_name == 'release'
-      uses: AButler/upload-release-assets@v2.0
+      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
       with:
         files: brotli-${{matrix.triplet}}.zip
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        tag_name: dev/null
-- 
cgit v1.1