diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml index b91f644..e7cef75 100644 --- a/.github/workflows/build_and_deploy.yaml +++ b/.github/workflows/build_and_deploy.yaml @@ -107,7 +107,7 @@ jobs: environment: ${{ needs.prepare.outputs.deploy == 'true' && 'packages.element.io' || '' }} steps: - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 - name: Prepare artifacts for deployment run: | @@ -197,7 +197,7 @@ jobs: - name: Stash packages.element.io if: needs.prepare.outputs.deploy == 'false' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: packages.element.io path: packages.element.io @@ -235,7 +235,7 @@ jobs: - name: Stash debs if: needs.prepare.outputs.deploy == 'false' && needs.linux.result == 'success' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: debs path: | @@ -274,14 +274,14 @@ jobs: id-token: write # This is required for requesting the JWT steps: - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 with: role-to-assume: arn:aws:iam::264135176173:role/Push-ElementDesktop-MSI role-session-name: githubaction-run-${{ github.run_id }} aws-region: ${{ env.AWS_REGION }} - name: Download artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: win-* diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index a78b2ad..2fd9971 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -52,9 +52,9 @@ jobs: runs-on: ubuntu-24.04 if: always() steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: cache: "yarn" node-version: "lts/*" @@ -63,7 +63,7 @@ jobs: run: yarn install --frozen-lockfile - name: Download blob reports from GitHub Actions Artifacts - uses: actions/download-artifact@v4 + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: pattern: blob-report-* path: all-blob-reports @@ -74,7 +74,7 @@ jobs: - name: Upload HTML report if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: html-report path: playwright-report diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index d56f6a8..0a3cad1 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -60,21 +60,21 @@ jobs: } } - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: webapp - name: Cache .hak id: cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: key: ${{ runner.os }}-${{ github.ref_name }}-${{ inputs.sqlcipher }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion', 'dockerbuild/*') }} path: | ./.hak - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .node-version cache: "yarn" @@ -173,7 +173,7 @@ jobs: # We exclude *-unpacked as it loses permissions and the tarball contains it with correct permissions - name: Upload Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: linux-${{ inputs.arch }}-sqlcipher-${{ inputs.sqlcipher }} path: | diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index 1ea5d4c..325a98d 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -37,15 +37,15 @@ jobs: runs-on: macos-14 # M1 environment: ${{ inputs.sign && 'packages.element.io' || '' }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: webapp - name: Cache .hak id: cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: key: ${{ runner.os }}-${{ hashFiles('hakHash', 'electronVersion') }} path: | @@ -60,11 +60,11 @@ jobs: rustup target add x86_64-apple-darwin # M1 macos-14 comes without Python preinstalled - - uses: actions/setup-python@v5 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5 with: python-version: "3.13" - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .node-version cache: "yarn" @@ -137,7 +137,7 @@ jobs: # We exclude mac-universal as the unpacked app takes forever to upload and zip and dmg already contains it - name: Upload Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: macos path: | diff --git a/.github/workflows/build_prepare.yaml b/.github/workflows/build_prepare.yaml index 7e4011f..64253f5 100644 --- a/.github/workflows/build_prepare.yaml +++ b/.github/workflows/build_prepare.yaml @@ -49,9 +49,9 @@ jobs: outputs: nightly-version: ${{ steps.versions.outputs.nightly }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .node-version cache: "yarn" @@ -137,7 +137,7 @@ jobs: echo "| Element Web | [$WEB_VERSION](https://github.com/element-hq/element-web/commit/$WEB_VERSION) |" >> $GITHUB_STEP_SUMMARY echo "| JS SDK | [$JS_VERSION](https://github.com/matrix-org/matrix-js-sdk/commit/$JS_VERSION) |" >> $GITHUB_STEP_SUMMARY - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: webapp retention-days: 1 diff --git a/.github/workflows/build_test.yaml b/.github/workflows/build_test.yaml index b19e9cd..ab00dd2 100644 --- a/.github/workflows/build_test.yaml +++ b/.github/workflows/build_test.yaml @@ -27,9 +27,9 @@ jobs: test: runs-on: ${{ inputs.runs-on }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .node-version cache: "yarn" @@ -37,7 +37,7 @@ jobs: - name: Install Deps run: "yarn install --frozen-lockfile" - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: ${{ inputs.artifact }} path: dist @@ -75,7 +75,7 @@ jobs: - name: Upload blob report if: always() && inputs.blob_report - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: blob-report-${{ inputs.artifact }} path: blob-report @@ -83,7 +83,7 @@ jobs: - name: Upload HTML report if: always() && inputs.blob_report == false - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: ${{ inputs.artifact }}-test path: playwright-report diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index 35a6b11..44a28c3 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -65,15 +65,15 @@ jobs: } } - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/download-artifact@v4 + - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: webapp - name: Cache .hak id: cache - uses: actions/cache@v4 + uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4 with: key: ${{ runner.os }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion') }} path: | @@ -102,7 +102,7 @@ jobs: rustup default stable rustup target add ${{ steps.config.outputs.target }} - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: .node-version cache: "yarn" @@ -206,7 +206,7 @@ jobs: | ForEach-Object -Process {. $env:SIGNTOOL_PATH verify /pa $_.FullName; if(!$?) { throw }} - name: Upload Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: win-${{ inputs.arch }} path: | diff --git a/.github/workflows/dockerbuild.yaml b/.github/workflows/dockerbuild.yaml index d4e37c3..f0d98f5 100644 --- a/.github/workflows/dockerbuild.yaml +++ b/.github/workflows/dockerbuild.yaml @@ -19,7 +19,7 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Set up QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3 diff --git a/.github/workflows/static_analysis.yaml b/.github/workflows/static_analysis.yaml index 5812b9b..146cf8b 100644 --- a/.github/workflows/static_analysis.yaml +++ b/.github/workflows/static_analysis.yaml @@ -9,9 +9,9 @@ jobs: name: "Typescript Syntax Check" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: package.json cache: "yarn" @@ -35,9 +35,9 @@ jobs: name: "ESLint" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: package.json cache: "yarn" @@ -53,9 +53,9 @@ jobs: name: "Workflow Lint" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: package.json cache: "yarn" @@ -71,9 +71,9 @@ jobs: name: "Analyse Dead Code" runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version-file: package.json cache: "yarn" diff --git a/.github/workflows/triage-stale.yml b/.github/workflows/triage-stale.yml index 5921d92..46aa4ae 100644 --- a/.github/workflows/triage-stale.yml +++ b/.github/workflows/triage-stale.yml @@ -12,7 +12,7 @@ jobs: issues: write pull-requests: write steps: - - uses: actions/stale@v9 + - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9 with: operations-per-run: 250 days-before-issue-stale: -1 diff --git a/dockerbuild/Dockerfile b/dockerbuild/Dockerfile index ecd61fc..00d2e3c 100644 --- a/dockerbuild/Dockerfile +++ b/dockerbuild/Dockerfile @@ -1,6 +1,6 @@ # Docker image to facilitate building Element Desktop's native bits using a glibc version (2.31) # with broader compatibility, down to Debian bullseye & Ubuntu focal. -FROM rust:bullseye +FROM rust:bullseye@sha256:f40b8cc3195deda321031e8dfe23c7d2586e3db7c4103fa36946982d9fd6d588 ENV DEBIAN_FRONTEND=noninteractive