ci: add zizmor workflow and pin all GitHub Actions to SHA hashes (#5237)

2026-04-30 04:30:19 +00:00 · 2026-03-25 12:28:41 -04:00 · 2026-03-25 12:28:41 -04:00 · f84563175f
commit f84563175f
parent e909d3e4a1
15 changed files with 92 additions and 41 deletions
--- a/.github/workflows/sync-skyvern-cloud.yml
+++ b/.github/workflows/sync-skyvern-cloud.yml
@ -23,7 +23,9 @@ jobs:

    steps:
      - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
      - name: Determine Git credentials
        id: git-creds
        run: |
@ -123,7 +125,7 @@ jobs:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Run GitHub File Sync
        id: file-sync
-        uses: Skyvern-AI/repo-file-sync-action@main
+        uses: Skyvern-AI/repo-file-sync-action@590c4ddbe1d7b5c4ca1e4b4edc85c7f919b6c26a # main
        with:
          GH_PAT: ${{ steps.git-creds.outputs.GH_PAT }}
          GIT_EMAIL: ${{ steps.git-creds.outputs.GIT_EMAIL }}
@ -139,7 +141,7 @@ jobs:
        if: >
          steps.check-migrations.outputs.has_migrations == 'true' && steps.file-sync.outputs.pull_request_urls

-        uses: actions/github-script@v6
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6
        env:
          PR_URLS_RAW: ${{ steps.file-sync.outputs.pull_request_urls }}
          SOURCE_PR_URL: ${{ steps.pr_details.outputs.PR_URL }}