ci: Pin third-party GitHub Actions to commit SHAs

.github/actions/api-deploy-ecs/action.yml

@@ -53,23 +53,23 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
         aws-region: eu-west-2
 
     - name: Render SDK API task definition
       id: task-def-sdk-api
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
       with:
         task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-sdk-api.json
         container-name: flagsmith-api
         image: ${{ inputs.api_ecr_image_url }}
 
     - name: Render Admin API task definition
       id: task-def-admin-api
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
       with:
         task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-admin-api.json
         container-name: flagsmith-api
@@ -78,7 +78,7 @@ runs:
     # This is used in both the SQL migrations and the Dynamo Identity Migrations
     - name: Fill in the new image ID in the Amazon ECS migration task definition
       id: task-def-migration
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
       with:
         task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-migration.json
         container-name: flagsmith-api-migration
@@ -103,15 +103,15 @@ runs:
 
     - name: Deploy new Task Definition to ECS Admin API service
       id: deploy-admin-api-task-definition
-      uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+      uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2
       with:
         cluster: ${{ inputs.aws_ecs_cluster_name }}
         service: ${{ inputs.aws_ecs_service_name }}
         task-definition: ${{ steps.task-def-admin-api.outputs.task-definition }}
 
     - name: Deploy new Task Definition to ECS SDK API service
       id: deploy-sdk-api-task-definition
-      uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+      uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2
       with:
         cluster: ${{ inputs.aws_ecs_cluster_name }}
         service: ${{ inputs.aws_ecs_sdk_service_name }}

.github/actions/codeartifact-login/action.yml

@@ -13,7 +13,7 @@ runs:
   using: composite
   steps:
     - name: Configure AWS credentials for CodeArtifact
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
       with:
         role-to-assume: arn:aws:iam::084060095745:role/codeartifact-github-actions-production
         aws-region: eu-west-2

.github/actions/docker-build-report-to-pr/action.yml

@@ -16,27 +16,27 @@ runs:
   using: composite
 
   steps:
-    - uses: peter-evans/find-comment@v3
+    - uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3
       id: find-comment
       with:
         issue-number: ${{ github.event.pull_request.number }}
         body-includes: 'Docker builds report'
 
-    - uses: chuhlomin/render-template@v1.4
+    - uses: chuhlomin/render-template@aacf4ca31e76dfdf3c5c32f7803d67271469f2a6 # v1.4
       if: ${{ !inputs.image-tag }}
       id: render-header
       with:
         template: .github/docker_build_comment_template.md
 
-    - uses: peter-evans/create-or-update-comment@v4
+    - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
       if: ${{ !inputs.image-tag }}
       with:
         comment-id: ${{ steps.find-comment.outputs.comment-id }}
         edit-mode: replace
         issue-number: ${{ github.event.pull_request.number }}
         body: ${{ steps.render-header.outputs.result }}
 
-    - uses: peter-evans/create-or-update-comment@v4
+    - uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4
       if: ${{ inputs.image-tag }}
       with:
         comment-id: ${{ steps.find-comment.outputs.comment-id }}

.github/actions/e2e-tests/action.yml

@@ -19,15 +19,15 @@ runs:
   using: composite
 
   steps:
-    - uses: actions/checkout@v5
-    - uses: actions/setup-node@v4
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+    - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
       with:
         cache: npm
         node-version-file: frontend/.nvmrc
         cache-dependency-path: frontend/package-lock.json
 
     - name: Cache Playwright browsers
-      uses: actions/cache@v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
       with:
         path: ~/.cache/ms-playwright
         key: ${{ runner.os }}-playwright-${{ hashFiles('frontend/package-lock.json') }}
@@ -46,7 +46,7 @@ runs:
       shell: bash
 
     - name: Run E2E tests
-      uses: nick-fields/retry@v3
+      uses: nick-fields/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3
       with:
         shell: bash
         command: |

.github/actions/install-uv/action.yml

@@ -12,7 +12,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - uses: astral-sh/setup-uv@v6
+    - uses: astral-sh/setup-uv@d0d8abe699bfb85fec6de9f7adb5ae17292296ff # v6
       with:
         version-file: api/pyproject.toml
         python-version: ${{ inputs.python-version }}

.github/actions/task-processor-deploy-ecs/action.yml

@@ -26,23 +26,23 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
+      uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
         aws-region: eu-west-2
 
     - name: Fill in the new image ID in the Amazon ECS Task Processor task definition
       id: task-def-task-processor
-      uses: aws-actions/amazon-ecs-render-task-definition@v1
+      uses: aws-actions/amazon-ecs-render-task-definition@6853cfae8c3a7d978fbf68b5a55453395541dfbb # v1
       with:
         task-definition: ${{ inputs.aws_task_definitions_directory_path }}/ecs-task-definition-task-processor.json
         container-name: flagsmith-task-processor
         image: ${{ inputs.api_ecr_image_url }}
 
     - name: Deploy Amazon ECS Task Processor task definition
       id: deploy-task-processor-task-def
-      uses: aws-actions/amazon-ecs-deploy-task-definition@v2
+      uses: aws-actions/amazon-ecs-deploy-task-definition@a310a830f5c14e583e35d84e4e1ec7dd177c3c9c # v2
       with:
         cluster: ${{ inputs.aws_ecs_cluster_name }}
         service: ${{ inputs.aws_ecs_service_name }}

.github/workflows/.reusable-deploy-ecs.yml

@@ -27,13 +27,13 @@ jobs:
 
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@ff717079ee2060e4bcee96c4779b553acc87447c # v4
         with:
           aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -42,11 +42,11 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v1
+        uses: aws-actions/amazon-ecr-login@5a88a04c91d5c6f97aae0d9be790e64d9b1d47b7 # v1
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: |
             ${{ steps.login-ecr.outputs.registry }}/${{ inputs.saas-image-name }}
@@ -59,7 +59,7 @@ jobs:
         uses: ./.github/actions/codeartifact-login
 
       - name: Build saas-api image
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1
         with:
           target: saas-api
           context: .
@@ -78,7 +78,7 @@ jobs:
     runs-on: depot-ubuntu-latest
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Deploy API to ${{ inputs.environment }}
         id: deploy-api
@@ -119,7 +119,7 @@ jobs:
 
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       # Temporarily install Firefox 143.0 to avoid test failures as superior versions cause frontend e2e tests to hang
       # To be removed once upstream issue correctly resolved

.github/workflows/.reusable-docker-build.yml

@@ -89,22 +89,22 @@ jobs:
 
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Set up Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1
 
       - name: Login to Github Container Registry
         if: ${{ !inputs.ephemeral }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ inputs.registry-url }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: |
             ${{ inputs.registry-url }}/flagsmith/${{ inputs.image-name }}
@@ -117,7 +117,7 @@ jobs:
 
       - name: Build and push image
         id: build
-        uses: depot/build-push-action@v1
+        uses: depot/build-push-action@98e78adca7817480b8185f474a400b451d74e287 # v1
         with:
           context: .
           save: ${{ inputs.ephemeral }}

.github/workflows/.reusable-docker-e2e-tests.yml

@@ -61,7 +61,7 @@ jobs:
 
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Determine test type
         id: test-type
@@ -76,14 +76,14 @@ jobs:
 
       - name: Login to Github Container Registry
         if: ${{ env.GCR_TOKEN }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ env.GCR_TOKEN }}
 
       - name: Set up Depot CLI
-        uses: depot/setup-action@v1
+        uses: depot/setup-action@15c09a5f77a0840ad4bce955686522a257853461 # v1
 
       - name: Login to Depot Registry
         run: depot pull-token | docker login -u x-token --password-stdin registry.depot.dev
@@ -97,7 +97,7 @@ jobs:
         if: inputs.visual-regression
         id: download-baseline
         continue-on-error: true
-        uses: dawidd6/action-download-artifact@v6
+        uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
         with:
           github_token: ${{ secrets.GCR_TOKEN }}
           workflow: platform-docker-build-test-publish.yml
@@ -133,7 +133,7 @@ jobs:
 
       - name: Upload HTML report
         if: failure()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: playwright-html-report-${{ steps.test-type.outputs.type }}-${{ github.run_id }}-${{ github.run_attempt }}-${{ strategy.job-index }}
           path: frontend/e2e/playwright-report/
@@ -167,7 +167,7 @@ jobs:
       - name: Generate test report summary (success)
         id: report-summary-success
         if: success() && github.event_name == 'pull_request'
-        uses: daun/playwright-report-summary@v3
+        uses: daun/playwright-report-summary@1229105480a2a4bdd91598d8a146fbab41343fce # v3
         with:
           report-file: frontend/e2e/playwright-report/results.json
           comment-title: 'Playwright Test Results (${{ steps.test-type.outputs.label }} - ${{ inputs.runs-on }})'
@@ -178,7 +178,7 @@ jobs:
       - name: Generate test report summary (failure)
         id: report-summary-failure
         if: failure() && github.event_name == 'pull_request'
-        uses: daun/playwright-report-summary@v3
+        uses: daun/playwright-report-summary@1229105480a2a4bdd91598d8a146fbab41343fce # v3
         with:
           report-file: frontend/e2e/playwright-report/results.json
           comment-title: 'Playwright Test Results (${{ steps.test-type.outputs.label }} - ${{ inputs.runs-on }})'
@@ -190,7 +190,7 @@ jobs:
       - name: Comment PR with test results
         if: always() && github.event_name == 'pull_request' && (steps.report-summary-success.outputs.summary || steps.report-summary-failure.outputs.summary)
         continue-on-error: true
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:
           header: playwright-e2e-results
           append: true
@@ -199,7 +199,7 @@ jobs:
       # Visual regression: after all E2E retries, run comparison and upload results
       - name: Upload visual regression baselines (main branch)
         if: always() && inputs.visual-regression-update
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: visual-regression-baselines
           path: frontend/e2e/visual-regression-screenshots/
@@ -208,7 +208,7 @@ jobs:
 
       - name: Upload visual regression report
         if: always() && inputs.visual-regression && !inputs.visual-regression-update
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
         with:
           name: visual-regression-report-${{ github.run_id }}-${{ strategy.job-index }}
           path: frontend/e2e/visual-regression-report/
@@ -234,7 +234,7 @@ jobs:
       - name: Comment PR with visual regression results
         if: always() && inputs.visual-regression && !inputs.visual-regression-update && github.event_name == 'pull_request' && steps.visual-regression-summary.outputs.message
         continue-on-error: true
-        uses: marocchino/sticky-pull-request-comment@v2
+        uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2
         with:
           header: visual-regression-results
           message: |

.github/workflows/.reusable-docker-publish.yml

@@ -40,39 +40,39 @@ jobs:
 
     steps:
       - name: Cloning repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           sparse-checkout: depot.json
           sparse-checkout-cone-mode: false
 
       - name: Login to Github Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ${{ inputs.target-registry-url }}
           username: ${{ inputs.docker-username }}
           password: ${{ secrets[inputs.docker-password-secret-name] }}
 
       - name: Docker metadata
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5
         with:
           images: ${{ inputs.target-images }}
           tags: |
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
 
       # Setup Docker buildx with Depot builder so imagetools have access to Depot cache
-      - uses: depot/use-action@v1
+      - uses: depot/use-action@9bda29f1fc3163c06fc15f375887a341096a5639 # v1
 
       - name: Publish Image
-        uses: kphrx/docker-buildx-imagetools-action@v0.1.2
+        uses: kphrx/docker-buildx-imagetools-action@dc0bb0ebac7e6db5e34a0f3f51817912727216ba # v0.1.2
         with:
           sources: ${{ inputs.source-images }}
           tags: ${{ steps.meta.outputs.tags }}