ci: Pin actions to SHAs for more security

Author: BlayTheNinth

.github/workflows/label-issues.yaml

@@ -15,7 +15,7 @@ jobs:
       - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
 
       - name: Parse issue form
-        uses: TwelveIterations/github-issue-parser@main
+        uses: TwelveIterations/github-issue-parser@31002363586b06c42d69c874b03f6a839e9c53ba
         id: issue-parser
         with:
           template-path: https://raw.githubusercontent.com/TwelveIterations/.github/refs/heads/main/.github/ISSUE_TEMPLATE/${{ matrix.template }}
@@ -25,4 +25,4 @@ jobs:
         with:
           issue-form: ${{ steps.issue-parser.outputs.jsonString }}
           template: ${{ matrix.template }}
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/manage-labels.yaml

@@ -20,8 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     name: manage-labels
     steps:
-      - uses: actions/checkout@v2
-      - uses: TwelveIterations/manage-labels@main
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      - uses: TwelveIterations/manage-labels@2eb52a52431a345ad446f03003ba5c50ddf18d08
         with:
           dry: ${{ inputs.dry }}
           remove_missing: ${{ inputs.remove_missing }}

.github/workflows/publish-release.yml

@@ -38,11 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin
@@ -58,7 +58,7 @@ jobs:
             exit 1
           fi
       - name: Validate en_us.json file
-        uses: TwelveIterations/validate-minecraft-lang@v1
+        uses: TwelveIterations/validate-minecraft-lang@0fc8683f070a73c13015b3e17a2130baa9e89d82
   create-release:
     runs-on: ubuntu-latest
     environment: Releases
@@ -69,13 +69,13 @@ jobs:
       build-matrix: ${{ steps.set-build-matrix.outputs.result }}
       publish-matrix: ${{ steps.set-publish-matrix.outputs.result }}
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3
         id: app-token
         with:
           app-id: ${{ vars.AUTOMATIONS_APP_ID }}
           private-key: ${{ secrets.AUTOMATIONS_PRIVATE_KEY }}
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           token: ${{ steps.app-token.outputs.token }}
       - name: Get GitHub App User ID
@@ -91,7 +91,7 @@ jobs:
         run: echo "version=$(cat gradle.properties | grep -w "\bversion\s*=" | cut -d= -f2)" >> $GITHUB_OUTPUT
         id: extract-version
       - name: Bumping version
-        uses: TwelveIterations/bump-version@v1
+        uses: TwelveIterations/bump-version@86901cde5897b550e2e98fbe8962afc401c23c8f
         with:
           version: ${{ steps.extract-version.outputs.version }}
           bump: revision
@@ -108,7 +108,7 @@ jobs:
           BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
       - name: Preparing build matrix
         id: set-build-matrix
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
         with:
           script: |
             const fs = require('fs');
@@ -121,7 +121,7 @@ jobs:
             }
       - name: Preparing publish matrix
         id: set-publish-matrix
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
         with:
           script: |
             const fs = require('fs');
@@ -147,13 +147,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ needs.create-release.outputs.ref }}
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin
@@ -163,7 +163,7 @@ jobs:
       - name: Build common artifact
         run: ./gradlew :common:build '-Pversion=${{needs.create-release.outputs.version}}'
       - name: Upload common artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: common-artifact
           path: common/build
@@ -175,21 +175,21 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ needs.create-release.outputs.ref }}
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin
           cache: 'gradle'
       - name: Make gradle wrapper executable
         run: chmod +x ./gradlew
       - name: Download common artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: common-artifact
           path: common/build
@@ -199,7 +199,7 @@ jobs:
       - name: Build ${{ matrix.loader }} artifact
         run: ./gradlew :${{ matrix.loader }}:build '-Pversion=${{needs.create-release.outputs.version}}'
       - name: Upload ${{ matrix.loader }} artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
         with:
           name: ${{ matrix.loader }}-artifact
           path: ${{ matrix.loader }}/build
@@ -214,18 +214,18 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           ref: ${{ needs.create-release.outputs.ref }}
       - name: Download ${{ matrix.loader }} artifact
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: ${{ matrix.loader }}-artifact
           path: ${{ matrix.loader }}/build
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin

.github/workflows/publish-snapshot.yml

@@ -10,11 +10,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin
@@ -30,18 +30,18 @@ jobs:
             exit 1
           fi
       - name: Validate en_us.json file
-        uses: TwelveIterations/validate-minecraft-lang@v1
+        uses: TwelveIterations/validate-minecraft-lang@0fc8683f070a73c13015b3e17a2130baa9e89d82
   prepare-matrix:
     runs-on: ubuntu-latest
     needs: verify-resources
     outputs:
       matrix: ${{ steps.set-matrix.outputs.result }}
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Preparing matrix
         id: set-matrix
-        uses: actions/github-script@v8
+        uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3
         with:
           script: |
             const fs = require('fs');
@@ -62,11 +62,11 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       - name: Validate gradle wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e
       - name: Setup JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654
         with:
           java-version: 25
           distribution: temurin
@@ -77,7 +77,7 @@ jobs:
         run: echo "version=$(cat gradle.properties | grep -w "\bversion\s*=" | cut -d= -f2)" >> $GITHUB_OUTPUT
         id: extract-version
       - name: Bumping version
-        uses: TwelveIterations/bump-version@v1
+        uses: TwelveIterations/bump-version@86901cde5897b550e2e98fbe8962afc401c23c8f
         with:
           version: ${{ steps.extract-version.outputs.version }}
           bump: revision