Harden GitHub Actions: pin SHAs + persist-credentials

.github/actions/fly-setup/action.yml

@@ -35,12 +35,12 @@ runs:
   using: composite
   steps:
     - name: Set up Go
-      uses: actions/setup-go@v6
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
       with:
         go-version: "1.26.2"
 
     - name: Load secrets from 1Password
-      uses: 1password/load-secrets-action@v2
+      uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
       with:
         export-env: true
       env:

.github/workflows/auto-release.yml

@@ -31,22 +31,22 @@ jobs:
       pull-requests: read
     steps:
       - name: Load secrets from 1Password
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           PAT_TOKEN: op://Good Native/hover-github/PAT_TOKEN
 
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ env.PAT_TOKEN }}
 
       - name: Check for no-release label
         id: skip
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
             const sha = context.sha;
@@ -97,7 +97,7 @@ jobs:
         if:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: "20"
 
@@ -198,7 +198,7 @@ jobs:
         if:
           steps.check.outputs.should_release == 'true' &&
           steps.skip.outputs.should_skip != 'true'
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           NEW_VERSION: ${{ steps.check.outputs.next_version }}
           RUNNER_TEMP: ${{ runner.temp }}

.github/workflows/changelog-check.yml

@@ -25,8 +25,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Check for changelog updates
@@ -93,7 +94,7 @@ jobs:
           echo "✅ Changelog has new content under [Unreleased]"
 
       - name: Comment on PR with version info
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         env:
           RELEASE_TYPE: ${{ steps.check.outputs.release_type }}
           CURRENT_VERSION: ${{ steps.check.outputs.current_version }}

.github/workflows/cleanup-orphaned-apps.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
       - name: Load secrets from 1Password
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:

.github/workflows/fly-deploy.yml

@@ -51,7 +51,9 @@ jobs:
     outputs:
       image: ${{ steps.image.outputs.image }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -86,7 +88,9 @@ jobs:
     outputs:
       image: ${{ steps.image.outputs.image }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -120,7 +124,9 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [build-shared]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -163,7 +169,9 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [build-analysis]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -204,7 +212,9 @@ jobs:
     # the consumer-before-producer invariant.
     needs: [build-shared, release-analysis]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -254,7 +264,9 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [build-analysis, release-analysis]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -271,7 +283,9 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [build-shared, release-worker]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
@@ -294,15 +308,17 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [reconcile-worker-pool]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: Load fly-autoscaler tokens from 1Password
         # Loaded inline (not in the shared fly-setup composite) so review-app
         # CI doesn't need these 1Password fields to exist.
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:
@@ -341,15 +357,17 @@ jobs:
     runs-on: blacksmith-4vcpu-ubuntu-2404
     needs: [reconcile-analysis-pool]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/fly-setup
         with:
           op-service-account-token: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
 
       - name: Load fly-autoscaler tokens from 1Password
         # Loaded inline (not in the shared fly-setup composite) so review-app
         # CI doesn't need these 1Password fields to exist.
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:
@@ -403,7 +421,7 @@ jobs:
     steps:
       - name: Load Grafana annotation secrets
         continue-on-error: true
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:

.github/workflows/release-cli.yml

@@ -13,11 +13,12 @@ jobs:
     name: Build and Release CLI
     runs-on: blacksmith-4vcpu-ubuntu-2404
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
+          persist-credentials: false
           fetch-depth: 0
 
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
         with:
           go-version-file: go.mod
 
@@ -31,7 +32,7 @@ jobs:
           git tag -f "$SEMVER_TAG" HEAD
           echo "SEMVER_TAG=$SEMVER_TAG" >> $GITHUB_ENV
 
-      - uses: goreleaser/goreleaser-action@v6
+      - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
         with:
           version: "~> v2"
           args: release --clean --skip=validate
@@ -52,14 +53,14 @@ jobs:
             dist/hover_*.tar.gz dist/hover_*.zip dist/checksums.txt
 
       - name: Load secrets from 1Password
-        uses: 1password/load-secrets-action@v2
+        uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2
         with:
           export-env: true
         env:
           OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
           NPM_TOKEN: op://Good Native/npm/npm_access_token
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20
           registry-url: https://registry.npmjs.org