Pin mutable actions to a specific commit instead of using tags

Cirras · fourls · commit fa3272d60252 · 2025-05-05T14:23:49.000+10:00
Prompted by CodeQL alerts for `actions/unpinned-tag`.
diff --git a/.github/workflows/format.yml b/.github/workflows/format.yml
@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: axel-op/googlejavaformat-action@v3
+      - uses: axel-op/googlejavaformat-action@c1134ebd196c4cbffb077f9476585b0be8b6afcd # v4.0.0
         with:
-          version: v1.19.2
+          release-name: v1.19.2
           args: "--set-exit-if-changed --dry-run"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -36,12 +36,12 @@ jobs:
         run: echo "version-without-v=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
       - name: Get changelog release info
         id: changelog
-        uses: release-flow/keep-a-changelog-action@v3
+        uses: release-flow/keep-a-changelog-action@74931dec7ecdbfc8e38ac9ae7e8dd84c08db2f32 # v3.0.0
         with:
           command: query
           version: ${{ steps.get-version.outputs.version-without-v }}
       - name: Create GitHub Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         with:
           name: ${{ steps.changelog.outputs.version }}
           body: ${{ steps.changelog.outputs.release-notes }}
