Commit 0def4120 for xz
commit 0def41200695c830c6da95a21ef7158f60a6af01
Author: Lasse Collin <lasse.collin@tukaani.org>
Date: Fri Jun 19 22:07:15 2026 +0300
CI: Don't pin vmactions or MSYS2 actions to commit ID
These workflows don't use any secrets other than GITHUB_TOKEN, which
only has the 'contents: read' permission. That is, if an action was
compromised, it shouldn't be able to modify the repository or steal any
secrets. I recognize that a compromised action isn't completely harmless
still. For example, the runners on GitHub have Internet access which the
action could abuse until the workflow timeout (currently 10 or 20 minutes)
expires.
Now we always use the most recent actions instead of ones that are
sometimes several months old. The hassle of updating the pinned
commit IDs goes away. The benefits feel bigger than the risks.
Link: https://github.com/tukaani-project/xz/pull/227
diff --git a/.github/workflows/dragonflybsd.yml b/.github/workflows/dragonflybsd.yml
index f1ef3112..633c8f74 100644
--- a/.github/workflows/dragonflybsd.yml
+++ b/.github/workflows/dragonflybsd.yml
@@ -20,7 +20,7 @@ jobs:
- name: Test in DragonFly BSD
id: test
- uses: vmactions/dragonflybsd-vm@323497fa680c1856dd1ba5c4fd89182a9194f649 #v1.2.7
+ uses: vmactions/dragonflybsd-vm@v1
with:
usesh: true
prepare: >
diff --git a/.github/workflows/freebsd.yml b/.github/workflows/freebsd.yml
index 68af562c..e4751e24 100644
--- a/.github/workflows/freebsd.yml
+++ b/.github/workflows/freebsd.yml
@@ -36,7 +36,7 @@ jobs:
- uses: actions/checkout@v7
- name: Test in FreeBSD
- uses: vmactions/freebsd-vm@4807432c7cab1c3f97688665332c0b932062d31f #v1.4.3
+ uses: vmactions/freebsd-vm@v1
with:
release: ${{ matrix.release }}
arch: ${{ matrix.arch }}
diff --git a/.github/workflows/haiku.yml b/.github/workflows/haiku.yml
index c648bebb..8d91b84f 100644
--- a/.github/workflows/haiku.yml
+++ b/.github/workflows/haiku.yml
@@ -20,7 +20,7 @@ jobs:
- name: Test in Haiku
id: test
- uses: vmactions/haiku-vm@dd2b1b3b180e8e1eac82f5c209485d376e4f48c0 #v1.0.7
+ uses: vmactions/haiku-vm@v1
with:
usesh: true
prepare: >
diff --git a/.github/workflows/msys2.yml b/.github/workflows/msys2.yml
index cbef7f03..4cf1b028 100644
--- a/.github/workflows/msys2.yml
+++ b/.github/workflows/msys2.yml
@@ -40,7 +40,7 @@ jobs:
steps:
- name: Setup MSYS2
if: ${{ matrix.sys == 'msys' }}
- uses: msys2/setup-msys2@4f806de0a5a7294ffabaff804b38a9b435a73bda # v2.30.0
+ uses: msys2/setup-msys2@v2
with:
msystem: ${{ matrix.sys }}
update: true
@@ -55,7 +55,7 @@ jobs:
- name: Setup MSYS2
if: ${{ matrix.sys != 'msys' }}
- uses: msys2/setup-msys2@fb197b72ce45fb24f17bf3f807a388985654d1f2 # v2.29.0
+ uses: msys2/setup-msys2@v2
with:
msystem: ${{ matrix.sys }}
update: true
diff --git a/.github/workflows/netbsd.yml b/.github/workflows/netbsd.yml
index c8fc8dec..4b424d87 100644
--- a/.github/workflows/netbsd.yml
+++ b/.github/workflows/netbsd.yml
@@ -20,7 +20,7 @@ jobs:
- name: Test in NetBSD
id: test
- uses: vmactions/netbsd-vm@ca7ff0556959998c82761c34ea0c3c99fa084c48 #v1.3.7
+ uses: vmactions/netbsd-vm@v1
with:
usesh: true
prepare: >
diff --git a/.github/workflows/openbsd.yml b/.github/workflows/openbsd.yml
index 61335e6e..e1157f2a 100644
--- a/.github/workflows/openbsd.yml
+++ b/.github/workflows/openbsd.yml
@@ -19,7 +19,7 @@ jobs:
- uses: actions/checkout@v7
- name: Test in OpenBSD
- uses: vmactions/openbsd-vm@3fafb45f2e2e696249c583835939323fe1c3448c #v1.3.7
+ uses: vmactions/openbsd-vm@v1
with:
usesh: true
prepare: >
diff --git a/.github/workflows/solaris.yml b/.github/workflows/solaris.yml
index f3651904..0ef1f30c 100644
--- a/.github/workflows/solaris.yml
+++ b/.github/workflows/solaris.yml
@@ -19,7 +19,7 @@ jobs:
- uses: actions/checkout@v7
- name: Test in Solaris
- uses: vmactions/solaris-vm@0a231b94365d1911cf62097ef342f6b30d95598f #v1.3.2
+ uses: vmactions/solaris-vm@v1
with:
release: 11.4-gcc
usesh: true