From 36ce05ff34c7a2c7d6e05282c77b9914ee631f35 Mon Sep 17 00:00:00 2001 From: Florian Imdahl Date: Tue, 2 Jun 2026 16:31:40 +0200 Subject: [PATCH] ci: Pin workflows --- .github/workflows/codeql.yml | 6 +++--- .github/workflows/nightly.yml | 18 +++++++++--------- .github/workflows/oneoff.yml | 16 ++++++++-------- .github/workflows/release.yml | 18 +++++++++--------- .github/workflows/test.yml | 2 +- 5 files changed, 30 insertions(+), 30 deletions(-) diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index bf95a16a..14441db3 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -29,9 +29,9 @@ jobs: # build-mode: manual steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd #v5 - name: Initialize CodeQL - uses: github/codeql-action/init@v3 + uses: github/codeql-action/init@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3 with: languages: ${{ matrix.language }} build-mode: ${{ matrix.build-mode }} @@ -42,6 +42,6 @@ jobs: name: "Build" run: xcrun xcodebuild -project Sources/Secretive.xcodeproj -scheme Secretive CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + uses: github/codeql-action/analyze@d77b13a0df3134d64a457ea9003f600b09fa1c8a # v3 with: category: "/language:${{matrix.language}}" diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 112f5fb4..61943168 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -1,9 +1,9 @@ name: Nightly -on: - schedule: +on: + schedule: - cron: "0 8 * * *" - + jobs: build: runs-on: macos-26 @@ -15,9 +15,9 @@ jobs: actions: read timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Signing - env: + env: SIGNING_DATA: ${{ secrets.SIGNING_DATA }} SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }} @@ -41,26 +41,26 @@ jobs: run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact - name: Upload App to Artifacts id: upload - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7 with: name: Secretive path: Artifact - name: Download Zipped Artifact id: download - env: + env: ZIP_ID: ${{ steps.upload.outputs.artifact-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \ https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip - name: Notarize - env: + env: APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip - name: Attest id: attest - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 #v4 with: subject-name: "Secretive.zip" subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }} diff --git a/.github/workflows/oneoff.yml b/.github/workflows/oneoff.yml index 9b1dbcf5..eeab01da 100644 --- a/.github/workflows/oneoff.yml +++ b/.github/workflows/oneoff.yml @@ -1,8 +1,8 @@ name: One-Off Build -on: +on: workflow_dispatch: - + jobs: build: runs-on: macos-26 @@ -14,9 +14,9 @@ jobs: actions: read timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Signing - env: + env: SIGNING_DATA: ${{ secrets.SIGNING_DATA }} SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }} @@ -40,26 +40,26 @@ jobs: run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact - name: Upload App to Artifacts id: upload - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7 with: name: Secretive path: Artifact - name: Download Zipped Artifact id: download - env: + env: ZIP_ID: ${{ steps.upload.outputs.artifact-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \ https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip - name: Notarize - env: + env: APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip - name: Attest id: attest - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 #v4 with: subject-name: "Secretive.zip" subject-digest: sha256:${{ steps.upload.outputs.artifact-digest }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a88efe64..ad6ba0cf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,6 +1,6 @@ name: Release -on: +on: push: tags: - '*' @@ -11,9 +11,9 @@ jobs: runs-on: macos-26 timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Signing - env: + env: SIGNING_DATA: ${{ secrets.SIGNING_DATA }} SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }} @@ -37,9 +37,9 @@ jobs: runs-on: macos-26 timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Setup Signing - env: + env: SIGNING_DATA: ${{ secrets.SIGNING_DATA }} SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} HOST_PROFILE_DATA: ${{ secrets.HOST_PROFILE_DATA }} @@ -64,26 +64,26 @@ jobs: run: mkdir Artifact; cp -r Archive.xcarchive/Products/Applications/Secretive.app Artifact - name: Upload App to Artifacts id: upload - uses: actions/upload-artifact@v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a #v7 with: name: Secretive.zip path: Artifact - name: Download Zipped Artifact id: download - env: + env: ZIP_ID: ${{ steps.upload.outputs.artifact-id }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | curl -L -H "Authorization: Bearer $GITHUB_TOKEN" -L \ https://api.github.com/repos/maxgoedjen/secretive/actions/artifacts/$ZIP_ID/zip > Secretive.zip - name: Notarize - env: + env: APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} run: xcrun notarytool submit --key ~/.private_keys/AuthKey_$APPLE_API_KEY_ID.p8 --key-id $APPLE_API_KEY_ID --issuer $APPLE_API_ISSUER Secretive.zip - name: Attest id: attest - uses: actions/attest@v4 + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 #v4 with: subject-path: "Secretive.zip" - name: Create Release diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8ec1d213..69b028f3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -8,7 +8,7 @@ jobs: runs-on: macos-26 timeout-minutes: 10 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: Set Environment run: sudo xcrun xcode-select -s /Applications/Xcode_26.4.app - name: Test Main Packages