From d97e6d46e2473ba2f7e9faf6188550db62136d1c Mon Sep 17 00:00:00 2001 From: Kaiyi Li Date: Mon, 27 Apr 2026 11:27:05 -0700 Subject: [PATCH 1/2] pin github actions to SHAs --- .github/workflows/build-dawn.yml | 8 ++++---- .github/workflows/build-skia-graphite.yml | 8 ++++---- .github/workflows/build-skia.yml | 6 +++--- .github/workflows/ci-graphite.yml | 6 +++--- .github/workflows/ci.yml | 4 ++-- .github/workflows/test-skia-package.yml | 6 +++--- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build-dawn.yml b/.github/workflows/build-dawn.yml index 97e1e89091..15415d63df 100644 --- a/.github/workflows/build-dawn.yml +++ b/.github/workflows/build-dawn.yml @@ -45,7 +45,7 @@ jobs: - name: Create GitHub release id: create_release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -100,7 +100,7 @@ jobs: - name: Setup Android NDK id: setup-ndk - uses: nttld/setup-ndk@v1 + uses: nttld/setup-ndk@ed92fe6cadad69be94a966a7ee3271275e62f779 # v1 with: ndk-version: r27d @@ -183,7 +183,7 @@ jobs: # submodules: true - name: Setup Xcode - uses: maxim-lobanov/setup-xcode@v1 + uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1 with: xcode-version: latest-stable @@ -263,7 +263,7 @@ jobs: tar -czf dawn-headers-${TAG}.tar.gz dawn-headers - name: Upload to GitHub release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/build-skia-graphite.yml b/.github/workflows/build-skia-graphite.yml index c2f8332edb..9fa6a6c1c5 100644 --- a/.github/workflows/build-skia-graphite.yml +++ b/.github/workflows/build-skia-graphite.yml @@ -85,7 +85,7 @@ jobs: - name: Create GitHub release if: ${{ github.event.inputs.dry_run != 'true' }} id: create_release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -149,7 +149,7 @@ jobs: run: echo "ANDROID_NDK=$ANDROID_HOME/ndk-bundle" >> $GITHUB_ENV - name: Setup Ninja - uses: seanmiddleditch/gha-setup-ninja@master + uses: seanmiddleditch/gha-setup-ninja@7e868db0f3406270dd46e1dac26c65f621456723 # master - name: Setup uses: ./.github/actions/setup @@ -213,7 +213,7 @@ jobs: - name: Upload binaries to GitHub release - ${{ matrix.artifact_name }} if: ${{ github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -258,7 +258,7 @@ jobs: - name: Upload Graphite Headers to GitHub release if: ${{ matrix.target == 'apple-ios' && github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/build-skia.yml b/.github/workflows/build-skia.yml index bd855230a7..63377a502c 100644 --- a/.github/workflows/build-skia.yml +++ b/.github/workflows/build-skia.yml @@ -63,7 +63,7 @@ jobs: - name: Create GitHub release if: ${{ github.event.inputs.dry_run != 'true' }} id: create_release - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -115,7 +115,7 @@ jobs: ndk-version: r27c - name: Setup Ninja - uses: seanmiddleditch/gha-setup-ninja@master + uses: seanmiddleditch/gha-setup-ninja@7e868db0f3406270dd46e1dac26c65f621456723 # master - name: Setup uses: ./.github/actions/setup @@ -164,7 +164,7 @@ jobs: - name: Upload binaries to GitHub release - ${{ matrix.artifact_name }} if: ${{ github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/ci-graphite.yml b/.github/workflows/ci-graphite.yml index bc5a0137fa..b3c5fb1a4e 100644 --- a/.github/workflows/ci-graphite.yml +++ b/.github/workflows/ci-graphite.yml @@ -34,7 +34,7 @@ jobs: graphite: true - name: Free disk space - uses: jlumbroso/free-disk-space@main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main with: tool-cache: false android: false @@ -124,7 +124,7 @@ jobs: graphite: true - name: Setup Android SDK - uses: android-actions/setup-android@v4 + uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4 - name: Install Android SDK tools run: | @@ -151,7 +151,7 @@ jobs: run: E2E=true yarn start & - name: Run Android Emulator Tests - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 with: api-level: 30 arch: x86_64 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index fb2d86dd97..035dc27b4b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -239,7 +239,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Setup Android SDK - uses: android-actions/setup-android@v4 + uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4 - name: Install Android SDK tools run: | @@ -266,7 +266,7 @@ jobs: run: E2E=true yarn start & - name: Run Android Emulator Tests - uses: reactivecircus/android-emulator-runner@v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 with: api-level: 30 arch: x86_64 diff --git a/.github/workflows/test-skia-package.yml b/.github/workflows/test-skia-package.yml index 07ea874ff4..6605b4ff62 100644 --- a/.github/workflows/test-skia-package.yml +++ b/.github/workflows/test-skia-package.yml @@ -68,7 +68,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: timeout_minutes: 10 max_attempts: 3 @@ -231,7 +231,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: timeout_minutes: 10 max_attempts: 3 @@ -381,7 +381,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 with: timeout_minutes: 10 max_attempts: 3 From 105d5889fc90571052764a0f0cc4d6685c0b586d Mon Sep 17 00:00:00 2001 From: Kaiyi Li Date: Mon, 27 Apr 2026 13:01:42 -0700 Subject: [PATCH 2/2] Use precise semver tags in pin comments --- .github/workflows/build-dawn.yml | 8 ++++---- .github/workflows/build-skia-graphite.yml | 6 +++--- .github/workflows/build-skia.yml | 4 ++-- .github/workflows/ci-graphite.yml | 6 +++--- .github/workflows/ci.yml | 4 ++-- .github/workflows/test-skia-package.yml | 6 +++--- 6 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-dawn.yml b/.github/workflows/build-dawn.yml index 15415d63df..a2d9c85a23 100644 --- a/.github/workflows/build-dawn.yml +++ b/.github/workflows/build-dawn.yml @@ -45,7 +45,7 @@ jobs: - name: Create GitHub release id: create_release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -100,7 +100,7 @@ jobs: - name: Setup Android NDK id: setup-ndk - uses: nttld/setup-ndk@ed92fe6cadad69be94a966a7ee3271275e62f779 # v1 + uses: nttld/setup-ndk@ed92fe6cadad69be94a966a7ee3271275e62f779 # v1.6.0 with: ndk-version: r27d @@ -183,7 +183,7 @@ jobs: # submodules: true - name: Setup Xcode - uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1 + uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1.7.0 with: xcode-version: latest-stable @@ -263,7 +263,7 @@ jobs: tar -czf dawn-headers-${TAG}.tar.gz dawn-headers - name: Upload to GitHub release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/build-skia-graphite.yml b/.github/workflows/build-skia-graphite.yml index 9fa6a6c1c5..95d4abcb24 100644 --- a/.github/workflows/build-skia-graphite.yml +++ b/.github/workflows/build-skia-graphite.yml @@ -85,7 +85,7 @@ jobs: - name: Create GitHub release if: ${{ github.event.inputs.dry_run != 'true' }} id: create_release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -213,7 +213,7 @@ jobs: - name: Upload binaries to GitHub release - ${{ matrix.artifact_name }} if: ${{ github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -258,7 +258,7 @@ jobs: - name: Upload Graphite Headers to GitHub release if: ${{ matrix.target == 'apple-ios' && github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/build-skia.yml b/.github/workflows/build-skia.yml index 63377a502c..34e72359b4 100644 --- a/.github/workflows/build-skia.yml +++ b/.github/workflows/build-skia.yml @@ -63,7 +63,7 @@ jobs: - name: Create GitHub release if: ${{ github.event.inputs.dry_run != 'true' }} id: create_release - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: @@ -164,7 +164,7 @@ jobs: - name: Upload binaries to GitHub release - ${{ matrix.artifact_name }} if: ${{ github.event.inputs.dry_run != 'true' }} - uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3 + uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: diff --git a/.github/workflows/ci-graphite.yml b/.github/workflows/ci-graphite.yml index b3c5fb1a4e..1fe51e2474 100644 --- a/.github/workflows/ci-graphite.yml +++ b/.github/workflows/ci-graphite.yml @@ -34,7 +34,7 @@ jobs: graphite: true - name: Free disk space - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main + uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 with: tool-cache: false android: false @@ -124,7 +124,7 @@ jobs: graphite: true - name: Setup Android SDK - uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4 + uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1 - name: Install Android SDK tools run: | @@ -151,7 +151,7 @@ jobs: run: E2E=true yarn start & - name: Run Android Emulator Tests - uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2.37.0 with: api-level: 30 arch: x86_64 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 035dc27b4b..b483dd85a7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -239,7 +239,7 @@ jobs: github_token: ${{ secrets.GITHUB_TOKEN }} - name: Setup Android SDK - uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4 + uses: android-actions/setup-android@40fd30fb8d7440372e1316f5d1809ec01dcd3699 # v4.0.1 - name: Install Android SDK tools run: | @@ -266,7 +266,7 @@ jobs: run: E2E=true yarn start & - name: Run Android Emulator Tests - uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2 + uses: reactivecircus/android-emulator-runner@e89f39f1abbbd05b1113a29cf4db69e7540cae5a # v2.37.0 with: api-level: 30 arch: x86_64 diff --git a/.github/workflows/test-skia-package.yml b/.github/workflows/test-skia-package.yml index 6605b4ff62..14c69604a1 100644 --- a/.github/workflows/test-skia-package.yml +++ b/.github/workflows/test-skia-package.yml @@ -68,7 +68,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: 3 @@ -231,7 +231,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: 3 @@ -381,7 +381,7 @@ jobs: pwd - name: Create Expo app with Skia template - uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4 + uses: nick-fields/retry@ad984534de44a9489a53aefd81eb77f87c70dc60 # v4.0.0 with: timeout_minutes: 10 max_attempts: 3