ci: pin actions by commit id

Author: luau-project

.github/workflows/ci.yml

@@ -50,7 +50,7 @@ jobs:
           }
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
 
@@ -181,7 +181,7 @@ jobs:
           }
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
 
@@ -319,7 +319,7 @@ jobs:
           }
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
 
@@ -329,16 +329,16 @@ jobs:
 
       - name: Setup MSVC dev-prompt
         if: ${{ runner.os == 'Windows' && matrix.lua-version != 'luajit' }}
-        uses: ilammy/msvc-dev-cmd@v1
+        uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0
 
       - name: Setup Lua
-        uses: luarocks/gh-actions-lua@v11
+        uses: luarocks/gh-actions-lua@989f8e6ffba55ce1817e236478c98558e598776c # v11
         with:
           luaVersion: ${{ matrix.lua-version }}
           buildCache: false
 
       - name: Setup LuaRocks
-        uses: luarocks/gh-actions-luarocks@v6
+        uses: luarocks/gh-actions-luarocks@7c85eeff60655651b444126f2a78be784e836a0a # v6
 
       - name: Lint rockspecs
         working-directory: lua-hash
@@ -419,7 +419,7 @@ jobs:
     steps:
 
       - name: Setup MSYS2
-        uses: msys2/setup-msys2@v2
+        uses: msys2/setup-msys2@40677d36a502eb2cf0fb808cc9dec31bf6152638 # v2.28.0
         with:
           msystem: ${{ matrix.MSYS2_CONFIG.sys }}
           install: |
@@ -447,7 +447,7 @@ jobs:
           luarocks config lua_dir "/${{ matrix.MSYS2_CONFIG.sys }}"
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
 
@@ -504,12 +504,12 @@ jobs:
         run: git config --global core.autocrlf input
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
 
       - name: Setup Cygwin
-        uses: cygwin/cygwin-install-action@v5
+        uses: cygwin/cygwin-install-action@f61179d72284ceddc397ed07ddb444d82bf9e559 # v5
         with:
           platform: x86_64
           install-dir: ${{ env.CYGWIN_INSTALL_DIR }}

.github/workflows/publish.yml

@@ -32,18 +32,18 @@ jobs:
           }
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: lua-hash
           ref: ${{ github.ref }}
 
       - name: Setup Lua
-        uses: luarocks/gh-actions-lua@v11
+        uses: luarocks/gh-actions-lua@989f8e6ffba55ce1817e236478c98558e598776c # v11
         with:
           buildCache: false
 
       - name: Setup LuaRocks
-        uses: luarocks/gh-actions-luarocks@v6
+        uses: luarocks/gh-actions-luarocks@7c85eeff60655651b444126f2a78be784e836a0a # v6
 
       - name: Make sure that tags from GitHub and rockspec are equal
         run: |

README.md

@@ -308,6 +308,7 @@ Allows a message, even the long ones, to be streamed in chunks to the underlying
     * Fixed an invalid error message, which would crash on Lua 5.1 and Lua 5.2, when a table of bytes was provided with numbers out of 0 - 255 range. In-depth explanation: `%I%` flag on `luaL_error` is only allowed on Lua 5.3 or newer;
     * Updated malloc calls to account for `sizeof(char)` and `sizeof(unsigned char)`;
     * Through CI, the library is also verified to work correctly on ARM64;
+    * GitHub actions were pinned by commit id to avoid supply-chain attacks;
     * Rockspec upload now lives on its own [publish.yml](./.github/workflows/publish.yml) workflow. This has the goal to avoid manual upload in case of intermitent failures (e.g.: connection issues or unavailable services). In the new publish behavior, the repository owner must trigger upload manually on GitHub for the rockspec to be published on LuaRocks website.
 * v0.0.2:
     * Added the possibility for all Unix-like distributions to build and install ```lua-hash``` using the binding for ```OpenSSL```;