Merge pull request #925 from aireilly/actions-update

Freezing actions at current SHA versions in light of CVE-2025-30066

Author: aireilly

.github/workflows/on-issues-opened.yml

@@ -18,7 +18,7 @@ jobs:
   automate-project-columns:
     runs-on: ubuntu-latest
     steps:
-      - uses: alex-page/github-project-automation-plus@v0.9.0
+      - uses: alex-page/github-project-automation-plus@303f24a24c67ce7adf565a07e96720faf126fe36 # v0.9.0
         with:
           project: Vale at Red Hat 
           column: To do

.github/workflows/preview-build.yml

@@ -22,12 +22,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0 # enable git diff and building many branches
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: '18'
       - name: Install Antora
@@ -37,7 +37,7 @@ jobs:
         run: echo "yearweek=$(/bin/date -u "+%Y%U")" >> $GITHUB_OUTPUT
         shell: bash
       - name: Restore cache
-        uses: actions/cache@v4
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.3
         env:
           cache-name: cache
         with:
@@ -58,15 +58,15 @@ jobs:
           echo "${{ github.event.number }}" > PR_NUMBER
           echo "${{ github.event.pull_request.head.sha }}" > PR_SHA
       - name: Upload preview-build artifact
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: preview-build
           path: |
             build
             PR_NUMBER
             PR_SHA
           retention-days: 7
-      - uses: actions/cache@v4
+      - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.0.3
         with:
           path: tmp/.htmltest
           key: ${{ runner.os }}-htmltest

.github/workflows/preview-deploy.yml

@@ -20,7 +20,7 @@ jobs:
     if: github.event.workflow_run.event == 'pull_request'
     steps:
       - name: Download preview-build artifact
-        uses: dawidd6/action-download-artifact@v9
+        uses: dawidd6/action-download-artifact@07ab29fd4a977ae4d2b275087cf67563dfdf0295 # v9
         with:
           workflow: ${{ github.event.workflow_run.workflow_id }}
           name: preview-build
@@ -40,7 +40,7 @@ jobs:
         run: |
           npx surge --project ${{ steps.vars.outputs.project }} --domain ${{ steps.vars.outputs.deploy_domain }} --token ${{ secrets.SURGE_TOKEN }}
       - name: Update status Comment
-        uses: actions-cool/maintain-one-comment@v3.2.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           body: |
@@ -50,7 +50,7 @@ jobs:
           number: ${{ steps.vars.outputs.pr_number }}
       - name: Job failure
         if: ${{ failure() }}
-        uses: actions-cool/maintain-one-comment@v3.2.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           body: |

.github/workflows/preview-start.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: create
-        uses: actions-cool/maintain-one-comment@v3.2.0
+        uses: actions-cool/maintain-one-comment@4b2dbf086015f892dcb5e8c1106f5fccd6c1476b # v3.2.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           body: |

.github/workflows/publication-builder.yml

@@ -17,21 +17,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: '18'
       - name: Install Antora
         run: npm i antora @antora/lunr-extension
       - name: Generate Site
         run: npx antora antora-playbook.yml
       - name: Upload artifacts
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: build/vale-at-red-hat
       - name: Commit artifact to publication branch
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           force_orphan: true # publish branch with only the latest commit
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -18,7 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Create release
         run: |

.github/workflows/vale-on-pull.yml

@@ -15,10 +15,10 @@ jobs:
     name: Linting with Vale
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Asciidoctor
         run: sudo apt-get install -y asciidoctor
-      - uses: errata-ai/vale-action@reviewdog
+      - uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # v2.1.1
         with:
           filter_mode: diff_context
           vale_flags: "--no-exit --minAlertLevel=error --glob=*.adoc"

.github/workflows/validate-rules.yml

@@ -14,7 +14,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0

.github/workflows/validate-scripts.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0 # enable git diff and building many branches

modules/user-guide/pages/using-vale-github-action.adoc

@@ -41,15 +41,15 @@ on: [pull_request]
 jobs:
   vale:
     name: Linting with Vale
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Install Asciidoctor
         run: sudo apt-get install -y asciidoctor
-      - uses: errata-ai/vale-action@reviewdog
+      - uses: errata-ai/vale-action@d89dee975228ae261d22c15adcd03578634d429c # v2.1.1
         with:
           filter_mode: diff_context
-          vale_flags: "--no-exit --minAlertLevel=error"
+          vale_flags: "--no-exit --minAlertLevel=error --glob=*.adoc"
           reporter: github-pr-review
           fail_on_error: true
         env: