Pin gh actions (#1472)

lukasIO · web-flow · commit 5018dc758643 · 2026-03-31T14:31:06.000+02:00
* Pin gh actions

* min release age
diff --git a/.github/workflows/buildtest.yaml b/.github/workflows/buildtest.yaml
@@ -25,8 +25,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
-      - uses: actions/cache@v5
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           path: |
             ~/go/pkg/mod
@@ -35,9 +35,9 @@ jobs:
           key: livekit-protocol
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
-          go-version-file: 'go.mod'
+          go-version-file: "go.mod"
 
       - name: Set up gotestfmt
         run: go install github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.4.1
@@ -46,7 +46,7 @@ jobs:
         run: go mod download
 
       - name: Static Check
-        uses: amarpal/staticcheck-action@master
+        uses: amarpal/staticcheck-action@ab84170fc40f72c7045b5d669e149e06c2b96439
         with:
           checks: '["all", "-ST1000", "-ST1003", "-ST1020", "-ST1021", "-ST1022", "-SA1019"]'
           install-go: false
diff --git a/.github/workflows/generate.yaml b/.github/workflows/generate.yaml
@@ -23,23 +23,23 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Install Protoc
-        uses: arduino/setup-protoc@v2
+        uses: arduino/setup-protoc@a8b67ba40b37d35169e222f3bb352603327985b6 # v2.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:
           go-version: ">=1.20"
 
       - name: Go mod tidy
         run: go mod tidy
 
       - name: Install generators
-        uses: magefile/mage-action@v3
+        uses: magefile/mage-action@6f50bbb8ea47d56e62dee92392788acbc8192d0b # v3.1.0
         with:
           version: latest
           install-only: true
@@ -50,10 +50,10 @@ jobs:
       - name: Generate Protobuf
         run: mage proto
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
 
       - name: Use Node.js 20
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           cache: "pnpm"
@@ -66,7 +66,7 @@ jobs:
           pnpm --filter @livekit/protocol run generate:proto
 
       - name: Add changes
-        uses: EndBug/add-and-commit@v9
+        uses: EndBug/add-and-commit@a94899bca583c204427a224a7af87c02f9b325d5 # v9.1.4
         with:
           add: '["livekit", "replay", "rpc", "infra", "packages/javascript/src/gen"]'
           default_author: github_actions
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -17,17 +17,17 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Install Protoc
-        uses: arduino/setup-protoc@v2
+        uses: arduino/setup-protoc@a8b67ba40b37d35169e222f3bb352603327985b6 # v2.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: pnpm/action-setup@v4
+      - uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4.3.0
 
       - name: Use Node.js 20
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           cache: "pnpm"
@@ -37,7 +37,7 @@ jobs:
 
       - name: Create Release Pull Request or Publish packages
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
         with:
           # This expects you to have a script called ci:publish which does a build for your packages and calls changeset publish
           publish: pnpm ci:publish
@@ -46,7 +46,7 @@ jobs:
 
       - name: Create git tag for golang package
         if: steps.changesets.outputs.published == 'true'
-        uses: rickstaa/action-create-tag@v1
+        uses: rickstaa/action-create-tag@a1c7777fcb2fee4f19b0f283ba888afa11678b72 # v1.7.2
         id: tag_create
         with:
           tag: ${{format('v{0}', fromJson(steps.changesets.outputs.publishedPackages)[0].version)}}
diff --git a/.github/workflows/slack-notifier.yaml b/.github/workflows/slack-notifier.yaml
@@ -19,7 +19,7 @@ jobs:
   notify-devs:
     runs-on: ubuntu-latest
     steps:
-      - uses: livekit/slack-notifier-action@main
+      - uses: livekit/slack-notifier-action@34d9e973391fe5e4afacba015c4d144eb912e7ea
         with:
           config_json: ${{ secrets.SLACK_NOTIFY_CONFIG_JSON }}
           slack_token: ${{ secrets.SLACK_PR_NOTIFIER_TOKEN }}
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
@@ -1,3 +1,7 @@
 packages:
   - "packages/javascript"
   - "."
+
+minimumReleaseAge: 2880
+minimumReleaseAgeExclude:
+  - "@livekit/*"
diff --git a/renovate.json b/renovate.json
@@ -4,6 +4,7 @@
   "constraints": {
     "go": "1.22"
   },
+  "minimumReleaseAge": "2 days",
   "commitBody": "Generated by renovateBot",
   "packageRules": [
     {

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`	`"constraints": {`
`5`	`5`	`"go": "1.22"`
`6`	`6`	`},`
	`7`	`+ "minimumReleaseAge": "2 days",`
`7`	`8`	`"commitBody": "Generated by renovateBot",`
`8`	`9`	`"packageRules": [`
`9`	`10`	`{`