ci(codeql): pin actions to commit SHAs

Replaces floating major-version tags with full commit SHAs (Tag- Kommentar dahinter), so a tag-republish can't slip a different action into the workflow.
2026-05-05 07:45:37 +02:00
parent 8db3eca46c
commit 08b2ffc600
1 changed files with 7 additions and 7 deletions
@@ -39,10 +39,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

      - name: Setup .NET 10
-        uses: actions/setup-dotnet@v5
+        uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7  # v5.2.0
        with:
          dotnet-version: 10.0.x

@@ -55,7 +55,7 @@ jobs:
          Expand-Archive -Force -Path dalamud.zip -DestinationPath $hooks

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
        with:
          languages: csharp
          build-mode: manual
@@ -68,7 +68,7 @@ jobs:
        run: dotnet build HellionChat/HellionChat.csproj --configuration Release --no-restore

      - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
        with:
          category: /language:csharp

@@ -79,15 +79,15 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
        with:
          languages: actions
          build-mode: none

      - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7  # v4.35.3
        with:
          category: /language:actions