chore: pin GitHub Actions versions to commit hashes (#140)

WillDaSilva · web-flow · commit 0dc2ef4c47aa · 2025-03-15T09:43:29.000-06:00
This will help prevent attacks such as [this one](https://semgrep.dev/blog/2025/popular-github-action-tj-actionschanged-files-is-compromised/). Dependabot is able to update these versions automatically, and it will preserve the readable version comments.
diff --git a/.github/workflows/main_test.yml b/.github/workflows/main_test.yml
@@ -19,9 +19,9 @@ jobs:
       TAP_UNIVERSAL_FILE_FILE_REGEX: ^.*airtravel\.csv$
       TAP_UNIVERSAL_FILE_PROTOCOL: s3
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install Poetry
diff --git a/.github/workflows/s3_test.yml b/.github/workflows/s3_test.yml
@@ -25,9 +25,9 @@ jobs:
       TAP_UNIVERSAL_FILE_FILE_REGEX: ^.*airtravel\.csv$
       TAP_UNIVERSAL_FILE_PROTOCOL: s3
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install Poetry
@@ -41,4 +41,4 @@ jobs:
         poetry install --extras=s3
     - name: Test with pytest (requires repo secrets)
       run: | # Only run S3 tests, i.e. those that weren't already covered by the standard workflow run.
-        poetry run pytest -k 'test_s3_execution'
+        poetry run pytest -k 'test_s3_execution'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -22,9 +22,9 @@ jobs:
       AWS_SECRET_ACCESS_KEY: NoSecretsNeeded
       TAP_UNIVERSAL_FILE_PROTOCOL: file
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install Poetry
