owncloud · jesmrec · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026 · Apr 6, 2026
diff --git a/.github/workflows/android-instrumented-data-tests.yml b/.github/workflows/android-instrumented-data-tests.yml
@@ -18,10 +18,10 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -33,7 +33,7 @@ jobs:
           sudo udevadm trigger --name-match=kvm
 
       - name: Run Instrumented Data Tests with emulator
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@4fe4b1ae376568ff65de774de6c0ca8070944022 #v2.37.0
         with:
           api-level: 33
           target: google_apis

diff --git a/.github/workflows/android-unit-tests.yml b/.github/workflows/android-unit-tests.yml
@@ -18,16 +18,16 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Set up JDK 17
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
 
       - name: Set up Gradle
-        uses: gradle/actions/setup-gradle@v5
+        uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e #v6.1.0
 
       - name: Build with Gradle
         run: ./gradlew assembleDebug

diff --git a/.github/workflows/build-apk.yml b/.github/workflows/build-apk.yml
@@ -68,7 +68,7 @@ jobs:
 
       # Checkout the repo
       - name: Checkout current repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           repository: owncloud/android
           ref: ${{ inputs.version }}
@@ -83,14 +83,14 @@ jobs:
 
       # Set Java-JDK version
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
         with:
           distribution: 'temurin'
           java-version: '17'
 
       # Cache gradle
       - name: Cache Gradle
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
         with:
           path: |
             ~/.gradle/caches
@@ -134,7 +134,7 @@ jobs:
 
       # Publish the artifact
       - name: Upload artifact
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
         with:
           name: ${{ steps.set_artifact.outputs.artifact_name }}
           path: ./${{ steps.set_artifact.outputs.artifact_name }}
diff --git a/.github/workflows/calens.yml b/.github/workflows/calens.yml
@@ -20,15 +20,15 @@ jobs:
     name: Generate Calens Changelog
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           persist-credentials: false
       - name: Run Calens
-        uses: actionhippie/calens@v1.12.4
+        uses: actionhippie/calens@244f3e5
         with:
           target: CHANGELOG.md
       - name: Commit files
-        uses: GuillaumeFalourd/git-commit-push@v1.3
+        uses: GuillaumeFalourd/git-commit-push@205c043bca2f932f7a48a28a8d619ba30eb84ba #v1.3
         with:
           email: devops@owncloud.com
           name: ownClouders

diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml
@@ -17,7 +17,7 @@ jobs:
     steps:
       # Checkout the repository
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           # Limit of validation to skip fetching all existing commits
           fetch-depth: 100

diff --git a/.github/workflows/detekt.yml b/.github/workflows/detekt.yml
@@ -22,16 +22,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
     - name: Set up JDK 17
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
       with:
         java-version: '17'
         distribution: 'temurin'
 
     # Configure Gradle for optimal use in GitHub Actions, including caching of downloaded dependencies.
     # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@v5
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e #v6.1.0
     - name: detekt execution
       run: ./gradlew detekt
diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
@@ -9,7 +9,7 @@ jobs:
     name: "Validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: gradle/actions/setup-gradle@v5
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+      - uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e #v6.1.0
         with:
           validate-wrappers: true
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -28,7 +28,7 @@ jobs:
     steps:
       # Checkout the repository
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
         with:
           # Parent commit to compare
           fetch-depth: 2
@@ -37,7 +37,7 @@ jobs:
 
       # Cache Gradle dependencies to speed up future builds
       - name: Cache Gradle dependencies
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 #v5.0.4
         with:
           path: |
             ~/.gradle/caches
@@ -49,7 +49,7 @@ jobs:
 
       # Set up Java 17 (required by Gradle and CycloneDX plugin)
       - name: Set up JDK 17
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 #v5.2.0
         with:
           java-version: '17'
           distribution: 'temurin'
@@ -101,7 +101,7 @@ jobs:
       # Commit the SBOM file only if it differs from master to avoid unnecessary commits
       - name: Commit and push updated SBOM
         if: steps.compare.outputs.no_changes == 'false'
-        uses: GuillaumeFalourd/git-commit-push@v1.3
+        uses: GuillaumeFalourd/git-commit-push@205c043bca2f932f7a48a28a8d619ba30eb84ba #v1.3
         with:
           commit_message: "docs: SBOM updated"
           files: sbom.json

diff --git a/.github/workflows/validate-source-strings.yml b/.github/workflows/validate-source-strings.yml
@@ -13,7 +13,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
 
       - name: Install xmlstarlet
         run: sudo apt-get update && sudo apt-get install -y xmlstarlet

diff --git a/changelog/unreleased/4815 b/changelog/unreleased/4815
@@ -0,0 +1,5 @@
+Change: Actions with SHA commits instead of versions 
+
+Commit SHA references have been added to GitHub Actions workflows to be compliant with new security policies
+
+https://github.com/owncloud/android/pull/4815