From 07cfbfdaf1fcac92b6140897459dfbacfdb77200 Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:12 -0400 Subject: [PATCH 1/6] ci: pin docker-image-dockerhub.yml actions to commit SHAs --- .github/workflows/docker-image-dockerhub.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-image-dockerhub.yml b/.github/workflows/docker-image-dockerhub.yml index 53a80c00fe9..c5be411498d 100644 --- a/.github/workflows/docker-image-dockerhub.yml +++ b/.github/workflows/docker-image-dockerhub.yml @@ -27,16 +27,16 @@ jobs: echo "tag_version=${{ github.event.inputs.tag_version || 'latest' }}" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4.0.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Login to Docker Hub - uses: docker/login-action@v4 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -45,7 +45,7 @@ jobs: # Build and push main image # ------------------------- - name: Build and push main image - uses: docker/build-push-action@v6.19.2 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . file: ./docker/Dockerfile @@ -60,7 +60,7 @@ jobs: # Build and push worker image # ------------------------- - name: Build and push worker image - uses: docker/build-push-action@v6.19.2 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . file: docker/worker/Dockerfile From 5b5bf7503d7782d9794fbac442a874edf9b5cf08 Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:13 -0400 Subject: [PATCH 2/6] ci: pin docker-image-ecr.yml actions to commit SHAs --- .github/workflows/docker-image-ecr.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-image-ecr.yml b/.github/workflows/docker-image-ecr.yml index 47275f08687..82aeaa2620b 100644 --- a/.github/workflows/docker-image-ecr.yml +++ b/.github/workflows/docker-image-ecr.yml @@ -40,13 +40,13 @@ jobs: echo "tag_version=${{ github.event.inputs.tag_version || 'latest' }}" >> $GITHUB_OUTPUT - name: Checkout - uses: actions/checkout@v6.0.2 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up QEMU - uses: docker/setup-qemu-action@v4.0.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v4.0.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 - name: Configure AWS OIDC Credentials uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0 @@ -57,13 +57,13 @@ jobs: unset-current-credentials: true - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v2 + uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6 # ------------------------- # Build and push main image # ------------------------- - name: Build and push main image - uses: docker/build-push-action@v6.19.2 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: context: . file: Dockerfile From b03bf4f99f60ee79660569200c922c15ea6ad611 Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:14 -0400 Subject: [PATCH 3/6] ci: pin main.yml actions to commit SHAs --- .github/workflows/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 4af90b52d3d..4ac6be3d90e 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -19,12 +19,12 @@ jobs: env: PUPPETEER_SKIP_DOWNLOAD: true steps: - - uses: actions/checkout@v6 - - uses: pnpm/action-setup@v4 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 + - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0 with: version: 10.26.0 - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: ${{ matrix.node-version }} cache: 'pnpm' @@ -38,12 +38,12 @@ jobs: - name: Cypress install run: pnpm cypress install - name: Install dependencies (Cypress Action) - uses: cypress-io/github-action@v7.1.5 + uses: cypress-io/github-action@bc22e01685c56e89e7813fd8e26f33dc47f87e15 # v7.1.5 with: working-directory: ./ runTests: false - name: Cypress test - uses: cypress-io/github-action@v7.1.5 + uses: cypress-io/github-action@bc22e01685c56e89e7813fd8e26f33dc47f87e15 # v7.1.5 with: install: false working-directory: packages/server From f69cdb3b93239e42336cf3a9de9fabfe12e86736 Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:15 -0400 Subject: [PATCH 4/6] ci: pin proprietary-path-guard.yml actions to commit SHAs --- .github/workflows/proprietary-path-guard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/proprietary-path-guard.yml b/.github/workflows/proprietary-path-guard.yml index 7f0fb30e722..8440720eb8a 100644 --- a/.github/workflows/proprietary-path-guard.yml +++ b/.github/workflows/proprietary-path-guard.yml @@ -35,7 +35,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: fetch-depth: 0 From 956e2da3136214a78d3bce35c33b0321f3578ffe Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:16 -0400 Subject: [PATCH 5/6] ci: pin publish-package.yml actions to commit SHAs --- .github/workflows/publish-package.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index 903a07f940f..92d5eef6f8a 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -45,13 +45,13 @@ jobs: outputs: version: ${{ steps.resolve-version.outputs.version }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: version: 10.26.0 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20.20.2' registry-url: 'https://registry.npmjs.org' @@ -120,13 +120,13 @@ jobs: contents: write pull-requests: write steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - - uses: pnpm/action-setup@v6 + - uses: pnpm/action-setup@0ebf47130e4866e96fce0953f49152a61190b271 # v6.0.9 with: version: 10.26.0 - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20.20.2' registry-url: 'https://registry.npmjs.org' From dacfe327c0b54843e6c8c06dbbee6b194c7d815b Mon Sep 17 00:00:00 2001 From: Cameron G <156701171+camgrimsec@users.noreply.github.com> Date: Sat, 20 Jun 2026 01:25:17 -0400 Subject: [PATCH 6/6] ci: pin test_docker_build.yml actions to commit SHAs --- .github/workflows/test_docker_build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test_docker_build.yml b/.github/workflows/test_docker_build.yml index ae4b3f3b2d2..11aacc18f3e 100644 --- a/.github/workflows/test_docker_build.yml +++ b/.github/workflows/test_docker_build.yml @@ -15,5 +15,5 @@ jobs: env: PUPPETEER_SKIP_DOWNLOAD: true steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 - run: docker build --no-cache -t flowise .